The Uni ed Policy Framework (UPF) · The Uni ed Policy Framework (UPF) Achim D. Brucker Lukas...
Transcript of The Uni ed Policy Framework (UPF) · The Uni ed Policy Framework (UPF) Achim D. Brucker Lukas...
The Unified Policy Framework(UPF)
Achim D Bruckerlowast Lukas Bruggerdagger Burkhart WolffDagger
lowastSAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany
achimbruckersapcom
daggerInformation Security ETH Zurich 8092 Zurich Switzerland
LukasABrueggergmailcom
DaggerUniv Paris-Sud Laboratoire LRI UMR8623 91405 Orsay France France
burkhartwolfflrifr
November 30 2014
AbstractWe present the Unified Policy Framework (UPF) a generic frameworkfor modelling security (access-control) policies in IsabelleHOL UPFemphasizes the view that a policy is a policy decision function thatgrants or denies access to resources permissions etc In other wordsinstead of modelling the relations of permitted or prohibited requestsdirectly we model the concrete function that implements the policydecision point in a system seen as an ldquoaspectrdquo of ldquowrapperrdquo aroundthe business logic of a system In more detail UPF is based on thefollowing four principles 1 Functional representation of policies 2 Noconflicts are possible 3 Three-valued decision type (allow deny un-defined) 4 Output type not containing the decision only
Contents
1 Introduction 5
2 The Unified Policy Framework (UPF) 721 The Core of the Unified Policy Framework (UPF) 7
211 Foundation 7
212 Policy Constructors 8
213 Override Operators 9
214 Coercion Operators 11
22 Elementary Policies 14
221 The Core Policy Combinators Allow and Deny Everything 14
222 Common Instances 15
223 Domain Range and Restrictions 17
23 Sequential Composition 21
231 Flattening 21
232 Policy Composition 24
24 Parallel Composition 25
241 Parallel Combinators Foundations 26
242 Combinators for Transition Policies 29
243 Range Splitting 29
244 Distributivity of the parallel combinators 30
25 Properties on Policies 32
251 Basic Properties 32
252 Combined Data-Policy Refinement 34
253 Equivalence of Policies 34
26 Policy Transformations 35
261 Elementary Operators 36
262 Distributivity of the Transformation 40
27 Policy Transformation for Testing 44
28 Putting Everything Together UPF 46
3 Example 4931 Secure Service Specification 49
311 Datatypes for Modelling Users and Roles 49
312 Modelling Health Records and the Web Service API 50
313 Modelling Access Control 53
314 The State Transitions and Output Function 57
3
315 Combine All Parts 5832 Instantiating Our Secure Service Example 59
321 Access Control Configuration 59322 The Initial System State 60323 Basic Properties 60
4 Conclusion and Related Work 6341 Related Work 6342 Conclusion Future Work 63
5 Appendix 6551 Basic Monad Theory for Sequential Computations 65
511 General Framework for Monad-based Sequence-Test 65512 Valid Test Sequences in the State Exception Monad 72513 Valid Test Sequences in the State Exception Backtrack Monad 76
4
1 Introduction
Access control i e restricting the access to information or resources is an importantpillar of todayrsquos information security portfolio Thus the large number of access controlmodels (e g [1 5 6 15ndash17 19 21]) and variants thereof (e g [2 2 4 7 14 18 22])is not surprising On the one hand this variety of specialized access control modelsallows concise representation of access control policies On the other hand the lack of acommon foundations makes it difficult to compare and analyze different access controlmodels formally
We present formalization of the Unified Policy Framework (UPF) [13] that providesa formal semantics for the core concepts of access control policiesb It can serve as ameta-model for a large set of well-known access control policies and moreover serve asa framework for analysis and test generation tools addressing common ground in policymodels Thus UPF for comparing different access control models including a formalcorrectness proof of a specific embedding for example implementing a role-based accesscontrol policy in terms of a discretionary access enforcement architecture Moreoverdefining well-known access control models by instantiating a unified policy frameworkallows to re-use tools such as test-case generators that are already provided for the uni-fied policy framework As the instantiation of a unified policy framework may also definea domain-specific (i e access control model specific) set of policy combinators (syntax)such an approach still provides the usual notations and thus a concise representation ofaccess control policies
UPF was already successful used as a basis for large scale access control policies in thehealth care domain [10] as well as in the domain of firewall and router policies [12] Inboth domains the formal policy specifications served as basis for the generation usingHOL-TestGen [9] of test cases that can be used for validating the compliance of animplementation to the formal model UPF is based on the following four principles
1 policies are represented as functions (rather than relations)
2 policy combination avoids conflicts by construction
3 the decision type is three-valued (allow deny undefined)
4 the output type does not only contain the decision but also a lsquoslotrsquo for arbitraryresult data
UPF is related to the state-exception monad modeling failing computations in somecases our UPF model makes explicit use of this connection although it is not centralThe used theory for state-exception monads can be found in the appendix
5
2 The Unified Policy Framework (UPF)
21 The Core of the Unified Policy Framework (UPF)
theoryUPFCore
importsMonads
begin
211 Foundation
The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators
In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β
datatype primeα decision = allow primeα | deny primeα
type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )
In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as
translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )
7
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
Contents
1 Introduction 5
2 The Unified Policy Framework (UPF) 721 The Core of the Unified Policy Framework (UPF) 7
211 Foundation 7
212 Policy Constructors 8
213 Override Operators 9
214 Coercion Operators 11
22 Elementary Policies 14
221 The Core Policy Combinators Allow and Deny Everything 14
222 Common Instances 15
223 Domain Range and Restrictions 17
23 Sequential Composition 21
231 Flattening 21
232 Policy Composition 24
24 Parallel Composition 25
241 Parallel Combinators Foundations 26
242 Combinators for Transition Policies 29
243 Range Splitting 29
244 Distributivity of the parallel combinators 30
25 Properties on Policies 32
251 Basic Properties 32
252 Combined Data-Policy Refinement 34
253 Equivalence of Policies 34
26 Policy Transformations 35
261 Elementary Operators 36
262 Distributivity of the Transformation 40
27 Policy Transformation for Testing 44
28 Putting Everything Together UPF 46
3 Example 4931 Secure Service Specification 49
311 Datatypes for Modelling Users and Roles 49
312 Modelling Health Records and the Web Service API 50
313 Modelling Access Control 53
314 The State Transitions and Output Function 57
3
315 Combine All Parts 5832 Instantiating Our Secure Service Example 59
321 Access Control Configuration 59322 The Initial System State 60323 Basic Properties 60
4 Conclusion and Related Work 6341 Related Work 6342 Conclusion Future Work 63
5 Appendix 6551 Basic Monad Theory for Sequential Computations 65
511 General Framework for Monad-based Sequence-Test 65512 Valid Test Sequences in the State Exception Monad 72513 Valid Test Sequences in the State Exception Backtrack Monad 76
4
1 Introduction
Access control i e restricting the access to information or resources is an importantpillar of todayrsquos information security portfolio Thus the large number of access controlmodels (e g [1 5 6 15ndash17 19 21]) and variants thereof (e g [2 2 4 7 14 18 22])is not surprising On the one hand this variety of specialized access control modelsallows concise representation of access control policies On the other hand the lack of acommon foundations makes it difficult to compare and analyze different access controlmodels formally
We present formalization of the Unified Policy Framework (UPF) [13] that providesa formal semantics for the core concepts of access control policiesb It can serve as ameta-model for a large set of well-known access control policies and moreover serve asa framework for analysis and test generation tools addressing common ground in policymodels Thus UPF for comparing different access control models including a formalcorrectness proof of a specific embedding for example implementing a role-based accesscontrol policy in terms of a discretionary access enforcement architecture Moreoverdefining well-known access control models by instantiating a unified policy frameworkallows to re-use tools such as test-case generators that are already provided for the uni-fied policy framework As the instantiation of a unified policy framework may also definea domain-specific (i e access control model specific) set of policy combinators (syntax)such an approach still provides the usual notations and thus a concise representation ofaccess control policies
UPF was already successful used as a basis for large scale access control policies in thehealth care domain [10] as well as in the domain of firewall and router policies [12] Inboth domains the formal policy specifications served as basis for the generation usingHOL-TestGen [9] of test cases that can be used for validating the compliance of animplementation to the formal model UPF is based on the following four principles
1 policies are represented as functions (rather than relations)
2 policy combination avoids conflicts by construction
3 the decision type is three-valued (allow deny undefined)
4 the output type does not only contain the decision but also a lsquoslotrsquo for arbitraryresult data
UPF is related to the state-exception monad modeling failing computations in somecases our UPF model makes explicit use of this connection although it is not centralThe used theory for state-exception monads can be found in the appendix
5
2 The Unified Policy Framework (UPF)
21 The Core of the Unified Policy Framework (UPF)
theoryUPFCore
importsMonads
begin
211 Foundation
The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators
In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β
datatype primeα decision = allow primeα | deny primeα
type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )
In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as
translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )
7
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
315 Combine All Parts 5832 Instantiating Our Secure Service Example 59
321 Access Control Configuration 59322 The Initial System State 60323 Basic Properties 60
4 Conclusion and Related Work 6341 Related Work 6342 Conclusion Future Work 63
5 Appendix 6551 Basic Monad Theory for Sequential Computations 65
511 General Framework for Monad-based Sequence-Test 65512 Valid Test Sequences in the State Exception Monad 72513 Valid Test Sequences in the State Exception Backtrack Monad 76
4
1 Introduction
Access control i e restricting the access to information or resources is an importantpillar of todayrsquos information security portfolio Thus the large number of access controlmodels (e g [1 5 6 15ndash17 19 21]) and variants thereof (e g [2 2 4 7 14 18 22])is not surprising On the one hand this variety of specialized access control modelsallows concise representation of access control policies On the other hand the lack of acommon foundations makes it difficult to compare and analyze different access controlmodels formally
We present formalization of the Unified Policy Framework (UPF) [13] that providesa formal semantics for the core concepts of access control policiesb It can serve as ameta-model for a large set of well-known access control policies and moreover serve asa framework for analysis and test generation tools addressing common ground in policymodels Thus UPF for comparing different access control models including a formalcorrectness proof of a specific embedding for example implementing a role-based accesscontrol policy in terms of a discretionary access enforcement architecture Moreoverdefining well-known access control models by instantiating a unified policy frameworkallows to re-use tools such as test-case generators that are already provided for the uni-fied policy framework As the instantiation of a unified policy framework may also definea domain-specific (i e access control model specific) set of policy combinators (syntax)such an approach still provides the usual notations and thus a concise representation ofaccess control policies
UPF was already successful used as a basis for large scale access control policies in thehealth care domain [10] as well as in the domain of firewall and router policies [12] Inboth domains the formal policy specifications served as basis for the generation usingHOL-TestGen [9] of test cases that can be used for validating the compliance of animplementation to the formal model UPF is based on the following four principles
1 policies are represented as functions (rather than relations)
2 policy combination avoids conflicts by construction
3 the decision type is three-valued (allow deny undefined)
4 the output type does not only contain the decision but also a lsquoslotrsquo for arbitraryresult data
UPF is related to the state-exception monad modeling failing computations in somecases our UPF model makes explicit use of this connection although it is not centralThe used theory for state-exception monads can be found in the appendix
5
2 The Unified Policy Framework (UPF)
21 The Core of the Unified Policy Framework (UPF)
theoryUPFCore
importsMonads
begin
211 Foundation
The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators
In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β
datatype primeα decision = allow primeα | deny primeα
type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )
In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as
translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )
7
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
1 Introduction
Access control i e restricting the access to information or resources is an importantpillar of todayrsquos information security portfolio Thus the large number of access controlmodels (e g [1 5 6 15ndash17 19 21]) and variants thereof (e g [2 2 4 7 14 18 22])is not surprising On the one hand this variety of specialized access control modelsallows concise representation of access control policies On the other hand the lack of acommon foundations makes it difficult to compare and analyze different access controlmodels formally
We present formalization of the Unified Policy Framework (UPF) [13] that providesa formal semantics for the core concepts of access control policiesb It can serve as ameta-model for a large set of well-known access control policies and moreover serve asa framework for analysis and test generation tools addressing common ground in policymodels Thus UPF for comparing different access control models including a formalcorrectness proof of a specific embedding for example implementing a role-based accesscontrol policy in terms of a discretionary access enforcement architecture Moreoverdefining well-known access control models by instantiating a unified policy frameworkallows to re-use tools such as test-case generators that are already provided for the uni-fied policy framework As the instantiation of a unified policy framework may also definea domain-specific (i e access control model specific) set of policy combinators (syntax)such an approach still provides the usual notations and thus a concise representation ofaccess control policies
UPF was already successful used as a basis for large scale access control policies in thehealth care domain [10] as well as in the domain of firewall and router policies [12] Inboth domains the formal policy specifications served as basis for the generation usingHOL-TestGen [9] of test cases that can be used for validating the compliance of animplementation to the formal model UPF is based on the following four principles
1 policies are represented as functions (rather than relations)
2 policy combination avoids conflicts by construction
3 the decision type is three-valued (allow deny undefined)
4 the output type does not only contain the decision but also a lsquoslotrsquo for arbitraryresult data
UPF is related to the state-exception monad modeling failing computations in somecases our UPF model makes explicit use of this connection although it is not centralThe used theory for state-exception monads can be found in the appendix
5
2 The Unified Policy Framework (UPF)
21 The Core of the Unified Policy Framework (UPF)
theoryUPFCore
importsMonads
begin
211 Foundation
The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators
In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β
datatype primeα decision = allow primeα | deny primeα
type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )
In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as
translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )
7
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
2 The Unified Policy Framework (UPF)
21 The Core of the Unified Policy Framework (UPF)
theoryUPFCore
importsMonads
begin
211 Foundation
The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators
In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β
datatype primeα decision = allow primeα | deny primeα
type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )
In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as
translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )
7
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type
notation None (perp)notation Some (b-c 80 )
Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition
We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy
definition Allow ( primeα decision) setwhere Allow = range allow
definition Deny ( primeα decision) setwhere Deny = range deny
212 Policy Constructors
Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)
Furthermore we add notation adopted to our problem domain
nonterminal policylets and policylet
syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)
policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )
syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)
translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))
8
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
empty CONST empty
Here are some lemmas essentially showing syntactic equivalences
lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp
lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp
We inherit a fairly rich theory on policy updates from Map here Some examples are
lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp
lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp
lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp
lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp
lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )
lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )
213 Override Operators
Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)
syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )
syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplus100 )
translationspoplus
q q ++ p
9
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
Some elementary facts inherited from Map are
lemma override-empty poplusempty = p
by simp
lemma empty-override emptyoplus
p = pby simp
lemma override-assoc p1oplus
(p2oplus
p3 ) = (p1oplus
p2 )oplus
p3by simp
The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual
definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =
(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc
| - rArr bdeny ac)| perp rArr m2 x )
)
syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusA 100 )
translationspoplus
A q p ++-A q
lemma override-A-empty [simp] poplus
A empty = pby(simp add override-A-def )
lemma empty-override-A[simp] emptyoplus
A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
lemma override-A-assoc p1oplus
A (p2oplus
A p3 ) = (p1oplus
A p2 )oplus
A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)
definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )
10
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
where m1 ++-D m2 =(λx case m2 x of
bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc
| - rArr ballow ac)| perp rArr m1 x
)
syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl
oplusD 100 )
translationspoplus
D q p ++-D q
lemma override-D-empty [simp] poplus
D empty = pby(simp add override-D-def )
lemma empty-override-D [simp] emptyoplus
D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)
done
lemma override-D-assoc p1oplus
D (p2oplus
D p3 ) = (p1oplus
D p2 )oplus
D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)
done
214 Coercion Operators
Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context
An analogous for the range of a policy is defined as follows
definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where
f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)
syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )
11
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
translationsp of q p o-f q
lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )
done
A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows
definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )
where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)
lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )
done
lemma range-split-charn(f g) nabla p = (λx case p x of
ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)
apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The connection between these two becomes apparent if considering the followinglemma
lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )
lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )
12
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (case-tac p x )apply (simp-all)
apply (case-tac a)apply (simp-all)
done
lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )
apply (simp-all)apply (case-tac a)
apply (simp-all)done
The next three operators are rather exotic and in most cases not used
The following is a variant of range split where the change in the decision depends onthe input instead of the output
definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of
ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)
definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of
ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)
definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of
ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)
The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]
definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of
13
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)
lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def
range-split-def dom-split2-def map-add-def restrict-map-defend
22 Elementary Policies
theoryElementaryPolicies
importsUPFCore
begin
In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory
221 The Core Policy Combinators Allow and Deny Everything
definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where
deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)
definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where
allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)
syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)
translationsAp f AllA f
syntax (xsymbols)
14
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations
Dp f AllD f
notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )
lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )
lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )
lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )
lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )
lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)
done
222 Common Instances
definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )
definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )
definition
15
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)
definitionallow-all-id primeα 7rarr primeα (AI) where
allow-all-id equiv allow-pfun (id o Some)
definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c
definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c
and resulting properties
lemma AIoplus
empty = AI
apply simpdone
lemma Af foplus
empty = Af fapply simpdone
lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done
lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus
x = (allow-pfun pf )
apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done
lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus
x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done
16
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
223 Domain Range and Restrictions
Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image
abbreviation range (rsquoa =gt rsquob) =gt rsquob set
where -- of function range f == f lsquo UNIV
As a consequence we inherit the following properties on policies
bull MapdomD a isin dom m =rArr exist b m a = bbc
bull MapdomI m a = bbc =rArr a isin dom m
bull MapdomIff (a isin dom m) = (m a 6= perp)
bull Mapdom_const dom (λx bf xc) = UNIV
bull Mapdom_def dom m = a m a 6= perp
bull Mapdom_empty dom empty =
bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)
bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])
bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))
bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
However some properties are specific to policy concepts
lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done
lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )
17
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (case-tac f x simp-all)done
lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )
lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done
lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )
lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )
done
lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)
done
lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )
18
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (auto simp image-def ran-def )done
Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod
bull Mapdom_map_add dom (noplus
m) = dom n cup dom m
bull Mapinj_on_map_add_dom inj-on (m primeoplus
m) (dom m prime) = inj-on m prime (domm prime)
bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus
m1 0 =m1 0
oplusm2 0
bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(2) m isin dom l1 0 =rArr (l2 0oplus
l1 0 ) m =l2 0 m
bull Mapmap_add_dom_app_simps(3) m isin dom l2 0 =rArr (l2 0oplus
l1 0 ) m =l1 0 m
bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus
e1 0 (m 7rarr u1 0 ) =(e2 0
opluse1 0 )(m 7rarr u1 0 )
The latter rule also applies to allow- and deny-override
definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)
lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)
done
lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)
19
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)
definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)
lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )
done
lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )
lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])
done
lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def
dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done
lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )
done
lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )
20
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
done
lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def
allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def
end
23 Sequential Composition
theorySeqComposition
importsElementaryPolicies
begin
Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined
231 Flattening
A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition
fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y
lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)
21
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y
lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y
lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)
apply (case-tac x )
22
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y
lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)
apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)
done
23
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
232 Policy Composition
The following definition allows to compose two policies Denies and allows are trans-ferred
fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of
byc rArr bdeny yc| perp rArr perp)
| lift f (allow s) = (case f s ofbyc rArr ballow yc
| perp rArr perp)
lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)
done
Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition
definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )
notation (xsymbols)comp-orA (infixl orA 55 )
lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )
lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )
definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )
notation (xsymbols)comp-orD (infixl orD 55 )
lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )
24
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )
definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-1 (infixl 1 55 )
lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )
lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )
definitioncomp-2 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-2 55 ) wherep2 o-2 p1 equiv (map-option flat-2 ) o (lift p2 o-m p1 )
notation (xsymbols)comp-2 (infixl 2 55 )
lemma comp-2-mt [simp]p 2 empty = emptyby(simp add comp-2-def )
lemma mt-comp-2 [simp]empty 2 p = emptyby(simp add comp-2-def )
end
24 Parallel Composition
theoryParallelComposition
importsElementaryPolicies
begin
The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them
The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or
25
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them
In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening
241 Parallel Combinators Foundations
There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties
definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )
where p1otimesorA p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orA-mt [simp]potimesorA empty = empty
apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orA[simp]emptyotimesorA p = empty
apply (rule ext)apply (simp add prod-orA-def )
done
lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1
otimesorA p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
26
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )
where p1otimesorD p2 =
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| perp rArr perp))
lemma prod-orD-mt [simp]potimesorD empty = empty
apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-orD [simp]emptyotimesorD p = empty
apply (rule ext)apply (simp add prod-orD-def )
done
lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1
otimesorD p2 )))
o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
The following two combinators are by definition non-commutative but still strict
definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
1 55 )where p1
otimes1 p2 equiv
(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)
| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c
27
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
| perp rArr perp)|perp rArr perp))
lemma prod-1-mt [simp]potimes
1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-1 [simp]emptyotimes
1 p = emptyapply (rule ext)apply (simp add prod-1-def )
done
definition prod-2 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes
2 55 )where p1
otimes2 p2 equiv
(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of
ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)
|perp rArrperp))
lemma prod-2-mt [simp]potimes
2 empty = emptyapply (rule ext)apply (simp add prod-2-def )apply (auto)apply (simp split optionsplits decisionsplits)
done
lemma mt-prod-2 [simp]emptyotimes
2 p = emptyapply (rule ext)apply (simp add prod-2-def )
done
definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
1I 55 )where p
otimes1I q = (p
otimes1 q) o (λx (x x ))
lemma prod-1-id-mt [simp]potimes
1I empty = empty
28
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (rule ext)apply (simp add prod-1-id-def )
done
lemma mt-prod-1-id [simp]emptyotimes
1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )
done
definition prod-2-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes
2I 55 )wherep
otimes2I q = (p
otimes2 q) o (λx (x x ))
lemma prod-2-id-mt [simp]potimes
2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )
done
lemma mt-prod-2-id [simp]emptyotimes
2I p = emptyapply (rule ext)apply (simp add prod-2-id-def prod-2-def )
done
242 Combinators for Transition Policies
For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps
definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr
otimesM 60 )
where p1otimes
M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c
| perp rArr perp)| perp rArr perp)
definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr
otimesS 60 )
wherep1
otimesS p2 = (p1
otimesM p2 ) o (λ (abc) ((ab)ac))
243 Range Splitting
The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions
29
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr
otimesnabla 100 )
where Potimesnabla p equiv λx case p (fst x ) of
ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)
| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)
| perp rArr perp
An alternative characterisation of the operator is as follows
lemma comp-ran-split-charn(f g)
otimesnabla p = (
(((p Allow)otimesorA (Ap f ))
oplus((p Deny)
otimesorA (Dp g))))
apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def
Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def
split optionsplits decisionsplits)apply (auto)
done
244 Distributivity of the parallel combinators
lemma distr-or1-a (F = F1oplus
F2 ) =rArr (((Notimes
1 F ) o f ) =(((N
otimes1 F1 ) o f )
oplus((N
otimes1 F2 ) o f )))
apply (rule ext)apply (simp add prod-1-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or1 (F = F1oplus
F2 ) =rArr ((g o-f ((Notimes
1 F ) o f )) =((g o-f ((N
otimes1 F1 ) o f ))
oplus(g o-f ((N
otimes1 F2 ) o f ))))
apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def
split decisionsplits optionsplits)done
30
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma distr-or2-a (F = F1oplus
F2 ) =rArr (((Notimes
2 F ) o f ) =(((N
otimes2 F1 ) o f )
oplus((N
otimes2 F2 ) o f )))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-or2 (F = F1oplus
F2 ) =rArr ((r o-f ((Notimes
2 F ) o f )) =((r o-f ((N
otimes2 F1 ) o f ))
oplus(r o-f ((N
otimes2 F2 ) o f ))))
apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-2-def map-add-def
split decisionsplits optionsplits)done
lemma distr-orA (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =
((g o-f ((NotimesorA F1 ) o f ))
oplus(g o-f ((N
otimesorA F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma distr-orD (F = F1oplus
F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =
((g o-f ((NotimesorD F1 ) o f ))
oplus(g o-f ((N
otimesorD F2 ) o f ))))
apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def
split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def
split decisionsplits optionsplits)done
lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)
31
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
done
lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def
parallel-st-def comp-ran-split-defend
25 Properties on Policies
theoryAnalysis
importsParallelCompositionSeqComposition
begin
In this theory several standard policy properties are paraphrased in UPF terms
251 Basic Properties
A Policy Has no Gaps
definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )
Comparing Policies
Policy p is more defined than q
definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)
definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)
lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto
Policy p is more permissive than q
definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))
| bdeny yc rArr True| perp rArr True))
32
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)
lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime
unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
Policy p is more rejective than q
definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))
| ballow yc rArr True| perp rArr True))
lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime
unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and
P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )
apply(simp elim exE )by(erule-tac x = x in allE simp)
lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)
lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)
33
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)
252 Combined Data-Policy Refinement
definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )
where p vabsa absb q equiv(forall a case p a of
perp rArr True| ballow yc rArr (forall a primeisinx absa x=a
exist b prime q a prime = ballow b primecand absb b prime = y)
| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec
and absb b prime = y))
theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)
theorem polref-transassumes A p vfg p prime
and B p prime vf primeg prime p primeprime
shows p vf o f primeg o g prime p primeprime
apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done
253 Equivalence of Policies
Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )
p and q have no conflicts
34
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)
(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))
lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q
shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def
split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+
done
Miscellaneous
lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)
lemma dom-eq dom p cap dom q = =rArr poplus
A q = poplus
D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )
lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus
(dom(p Deny) (Df g))
apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def
deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )
done
end
26 Policy Transformations
theoryNormalisation
35
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
importsSeqCompositionParallelComposition
begin
This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]
261 Elementary Operators
We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator
The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator
definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x
oplusy)) l empty
Determine the position of element of a list
fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))
Provides the first applied rule of a policy given as a list of rules
fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )
else (applied-rule C a xs))|applied-rule C a [] = None
The following is used if the list is constructed backwards
definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )
The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules
fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=
then rm-MT-rules C xselse x(rm-MT-rules C xs))
|rm-MT-rules C [] = []
The following invariant establishes that there are no rules with an empty domain in alist of rules
36
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True
The following related invariant establishes that the policy has not a completely emptydomain
fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False
Next a few theorems about the two invariants and the transformation
lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)
done
lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)
done
lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)
done
lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)
done
lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)
done
lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)
done
37
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)
done
lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)
done
lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)
done
lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)
done
lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)
done
Next a few theorems about applied rule
lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)
qed
lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
by (simp add mrconc)
lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]
proof (induct p rule rev-induct)
38
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
case Nil show caseby (simp add applied-rule-rev-def )
nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )
qedqed
lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr
applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)
lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)
apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)
done
lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)
by (auto simp mrconc)
lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)
proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )
nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)
nextcase False show thesis using snoc False
by (simp add applied-rule-rev-def split split-if-asm)qed
qed
39
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
262 Distributivity of the Transformation
The scenario is the following (can be applied iteratively)
bull Two policies are combined using one of the parallel combinators
bull (eg P = P1 P2) (At least) one of the constituent policies has
bull a normalisation procedures which as output produces a list of
bull policies that are semantically equivalent to the original policy if
bull combined from left to right using the override operator
The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function
fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimesL 54 ) where
prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt
dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []
An instance as usual there are four of them
definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr
otimes2L 55 ) where
xotimes
2L y = (λ d r (xotimes
L y) (opotimes
2) d r)
lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)
done
lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp
The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness
definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1
oplusP2 )) o f )) =
((g o-f ((p N P1 ) o f ))oplus
(g o-f ((p N P2 ) o f ))))))
40
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)
lemma is-distr-orD is-distr (opotimesorD) d r
apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)
done
lemma is-strict-orD is-strict (opotimesorD) d r
apply (simp add is-strict-def )apply (simp add policy-range-comp-def )
done
lemma is-distr-2 is-distr (opotimes
2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )
by simp
lemma is-strict-2 is-strict (opotimes
2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )
done
lemma domStart t isin dom p1 =rArr (p1oplus
p2 ) t = p1 tapply (simp add map-add-dom-app-simps)
done
lemma notDom x isin dom A =rArr not A x = Noneapply auto
done
The following theorems are crucial they establish the correctness of the distribution
lemma Norm-Distr-1 ((r o-f (((opotimes
1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes1) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes1 p) d)))
41
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-2 ((r o-f (((opotimes
2) P1 (list2policy P2 )) o d)) x =((list2policy ((P1
otimesL P2 ) (op
otimes2) r d)) x ))proof (induct
P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimes2 p) d)))
case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def
split optionsplits decisionsplits prod splits)qed
qed
lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorA) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorA p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )
42
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
prod-orA-defsplit optionsplits decisionsplits prod splits)
qedqed
lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =
((list2policy ((P1otimes
L P2 ) (opotimesorD) r d)) x ))
proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )
nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1
otimesorD p) d)))
case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def
split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False
by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def
split optionsplits decisionsplits prod splits)qed
qed
Some domain reasoning
lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
1 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistr2 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes
2 B) o (λx (x x ))) = dom B
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-2-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o
(λ x (x x ))) = dom B
43
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)done
lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o
(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def
split decisionsplits optionsplits prod splits)doneend
27 Policy Transformation for Testing
theoryNormalisationTestSpecification
importsNormalisation
begin
This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)
The examples in the firewall case study provide a good documentation how thesetheories can be applied
This invariant establishes that the domains of a list of rules are pairwise disjoint
fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True
fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True
lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))
apply (induct PL)apply (auto simp list2policy-def dom-def )
44
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
done
lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )
done
lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )
done
lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr
PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )
done
lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList
PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)
done
It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this
fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =
45
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))
definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and
(PUTList PUT x (butlast p)))
definition disjDomGD where disjDomGD p = disjDom (butlast p)
lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x
apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def
list2policy-def )apply (auto simp dom-def domIff split split-if-asm)
done
lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)
apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )
done
lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)
done
end
28 Putting Everything Together UPF
theoryUPF
imports
46
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
NormalisationNormalisationTestSpecificationAnalysis
begin
This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF
lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend
47
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
3 Example
In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]
UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]
31 Secure Service Specification
theoryService
importsUPF
begin
In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients
311 Datatypes for Modelling Users and Roles
Users
First we introduce a type for users that we use to model that each staff member has aunique id
type-synonym user = int
Similarly each patient has a unique id
type-synonym patient = int
Roles and Relationships
In our example we assume three different roles for members of the clinical staff
datatype role = ClinicalPractitioner | Nurse | Clerical
We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model
49
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
type-synonym lr-id = inttype-synonym LR = lr-id (user set)
The security context stores all the existing LRs
type-synonym Σ = patient LR
The user context stores the roles the users are in
type-synonym υ = user role
312 Modelling Health Records and the Web Service API
Health Records
The content and the status of the entries of a health record
datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR
The Web Service API
The operations provided by the service
datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry
fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False
fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False
fun is-deleteEntry where
50
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False
fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False
fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False
fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False
fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False
fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False
fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False
fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False
fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp
fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p
51
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p
fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u
fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r
fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))
fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True
fun allContentStatic where
52
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True
313 Modelling Access Control
In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)
Sealed Envelopes
type-synonym SEPolicy = (Operation times DB 7rarr unit)
definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp
| bScrc rArr Scr e-id)
definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))
definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c ))
| x rArr perp)
definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
| x rArr perp)
definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of
perp rArr perp| bec rArr (if (userHasAccess u e)
then ballow ()celse bdeny ()c))
53
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
| x rArr perp)
definition SEPolicy SEPolicy whereSEPolicy = editEntrySE
oplusdeleteEntrySE
oplusreadEntrySE
oplusAU
lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def
Legitimate Relationships
type-synonym LRPolicy = (Operation times Σ unit) policy
fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False
| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))
definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y
then ballow ()celse bdeny ()c))
definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))
then ballow ()celse perp)
definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))
then ballow ()celse perp)
definition LR-Policy where LR-Policy = createSCRPolicyoplus
addLRPolicyoplus
LR-Policy
oplusAU
lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def
type-synonym FunPolicy = (Operation times DB times Σunit) policy
fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D
then bdeny ()celse ballow ()c)
|createFunPolicy x = perp
54
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S
then bdeny ()celse ballow ()c)
|addLRFunPolicy x = perp
fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S
then ballow ()celse bdeny ()c)
|removeLRFunPolicy x = perp
fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|readSCRFunPolicy x = perp
fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D
then ballow ()celse bdeny ()c)
|deleteSCRFunPolicy x = perp
fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|changeStatusFunPolicy x = perp
fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp
fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =
(case d p of bxc rArr (if e isin dom x
55
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
then ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|readEntryFunPolicy x = perp
fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =
(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)
| - rArr bdeny ()c)|appendEntryFunPolicy x = perp
fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =
(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)
| - rArr bdeny ()c)|editEntryFunPolicy x = perp
definition FunPolicy whereFunPolicy = editEntryFunPolicy
oplusappendEntryFunPolicy
oplusreadEntryFunPolicy
oplusdeleteEntryFunPolicy
opluschangeStatusFunPolicy
oplusdeleteSCRFunPolicy
oplusremoveLRFunPolicy
oplusreadSCRFunPolicy
oplusaddLRFunPolicy
opluscreateFunPolicy
oplusAU
Modelling Core RBAC
type-synonym RBACPolicy = Operation times υ 7rarr unit
definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup
(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup
56
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
(r f ) r = Clerical and is-removeLR f
definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)
if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)
314 The State Transitions and Output Function
State Transition
fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c
| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =
(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )
then bScelse bS (p 7rarr x (ei 7rarre))c)))
|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =
(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))
|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))
|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc
| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c
| perp rArr bSc))|OpSuccessDB (x S ) = bSc
fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =
(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)
| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =
57
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)
|OpSuccessSigma (x S ) = bSc
fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc
Output
type-synonym Output = unit
fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c
fun OpFailOutput Operation Output whereOpFailOutput x = b()c
315 Combine All Parts
definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy
otimesorD LR-Policy) o (λ(abc) ((ab)ac))
definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy
otimesorD SE-LR-Policy) o (λa (aa)))
definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )
of (RBACPolicyotimesorD SE-LR-FUN-Policy)
o (λ(abcd) ((ad)(abc)))
definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput
otimesM (OpSuccessDB
otimesS OpSuccessSigmaotimes
S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))
definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))
definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times
58
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)
of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)
o (λx (x x )))
definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE
where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)
end
32 Instantiating Our Secure Service Example
theoryServiceExample
importsService
begin
In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients
321 Access Control Configuration
definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6
definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)
definition entry1 entry whereentry1 = (Openalice dummyContent)
definition entry2 entry whereentry2 = (Closed bob dummyContent)
definition entry3 entry whereentry3 = (Closed alice dummyContent)
definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))
59
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition SCR2 SCR whereSCR2 = (Mapempty)
definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )
definition LR1 LR whereLR1 =(empty(1 7rarralice))
definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))
322 The Initial System State
definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )
323 Basic Properties
lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)
lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False
by (simp)
lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def
SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def
SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def
readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def
alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def
Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def
ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def
entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs
60
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)
lemma exBool [simp] exist abool a by auto
lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto
lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto
Policy as monad Alice using her first urp can read the SCR of patient1
lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)
(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)
Presenting her other urp she is not allowed to read it
lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)
end
61
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
4 Conclusion and Related Work
41 Related Work
With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches
42 Conclusion Future Work
We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system
Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage
63
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
5 Appendix
51 Basic Monad Theory for Sequential Computations
theoryMonads
importsMain
begin
511 General Framework for Monad-based Sequence-Test
As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system
Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of
1 deterministic io automata
2 non-deterministic io automata and
3 labelled transition systems (LTS)
State Exception Monads
type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)
definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE
where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)
notation bind-SE (bindSE)syntax (xsymbols)
65
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE
((2 - larr - -) [5 8 8 ]8 )translations
x larr f g CONST bind-SE f ( x g)
definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)
definition failSE ( primeo primeσ)MON SE
where failSE = (λσ None)notation failSE (failSE)
definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE
where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)
definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE
where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)
definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE
where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)
The standard monad theorems about unit and associativity
lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )
done
lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)
done
lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)
done
In order to express test-sequences also on the object-level and to make our theory
66
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type
datatype in = op1 ι1 | | ιn
Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type
datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends
Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results
fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =
(case iostep a σ ofNone rArr Some([] σ)
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
67
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow
lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )
lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )
apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)
done
The fail-strict version of mbind prime looks as follows
fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE
where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =
(case iostep a σ ofNone rArr None
| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))
mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch
definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE
where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))
In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise
lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)
if a prime = Nonethen (M [])
68
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )
apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)
apply (auto)done
On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades
definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ
| Some H rArr Some H )
definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE
where malt-SE S = foldr alt-SE S failSE
notation malt-SE (d
SE)
lemma malt-SE-mt [simp]d
SE [] = failSE
by(simp add malt-SE-def )
lemma malt-SE-cons [simp]d
SE (a S ) = (a uSE (d
SE S ))by(simp add malt-SE-def )
State-Backtrack Monads
This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept
type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set
definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB
where bind-SB f g σ =⋃
((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)
definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)
69
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr
( primeo prime primeσ)MON SB
((2 - = - -) [5 8 8 ]8 )translations
x = f g CONST bind-SB f ( x g)
lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )
done
lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )
done
State Backtrack Exception Monad
The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement
type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option
definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE
where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S
in if None isin S prime then Noneelse Some(
⋃(the lsquo S prime))))
syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr
( primeo prime primeσ)MON SBE
((2 - equiv - -) [5 8 8 ]8 )translations
x equiv f g CONST bind-SBE f ( x g)
definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))
70
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assert-SBE e = (λσ if e σ then Some((()σ))else None)
notation assert-SBE (assertSBE)
definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE
where assume-SBE e = (λσ if e σ then Some((()σ))else Some )
notation assume-SBE (assumeSBE)
definition havoc-SBE (unit primeσ)MON SBE
where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)
lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )
done
lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )
apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )
done
lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]
lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def
case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case
by(rule-tac x=(a b) in bexI simp-all)next
case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal3 then show case
71
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
by(rule-tac x=(a b) in bexI simp-all)next
case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )
donenext
case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
done
nextcase goal6 then show case
apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )
doneqed
512 Valid Test Sequences in the State Exception Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))
This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well
lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))
oops
lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )
Recall mbind unit for the base case
lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =
72
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ
by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)
done
lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))
apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)
done
lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )
lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of
None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))
apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)
done
lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )
lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)
73
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)
apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)
done
lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )
lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )
74
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )
lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)
lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )
apply (assumption)apply (simp)
apply (subst Hilbert-ChoicesomeI assumption)apply (simp)
done
These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)
lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )
lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))
by(cases P σauto simp if-SE-D1 if-SE-D2 )
lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))
by(cases P σ auto simp if-SE-D1 if-SE-D2 )
lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )
75
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)
done
513 Valid Test Sequences in the State Exception Backtrack Monad
This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures
definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)
This notation considers all non-failures as valid
lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)
by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )
end
76
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
Bibliography
[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004
[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001
[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238
[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008
[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537
[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973
[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979
[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009
[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM
77
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011
[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013
[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513
[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009
[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158
[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969
[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip
[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086
[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839
[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf
78
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-
[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301
[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008
79
- Introduction
- The Unified Policy Framework (UPF)
-
- The Core of the Unified Policy Framework (UPF)
-
- Foundation
- Policy Constructors
- Override Operators
- Coercion Operators
-
- Elementary Policies
-
- The Core Policy Combinators Allow and Deny Everything
- Common Instances
- Domain Range and Restrictions
-
- Sequential Composition
-
- Flattening
- Policy Composition
-
- Parallel Composition
-
- Parallel Combinators Foundations
- Combinators for Transition Policies
- Range Splitting
- Distributivity of the parallel combinators
-
- Properties on Policies
-
- Basic Properties
- Combined Data-Policy Refinement
- Equivalence of Policies
-
- Policy Transformations
-
- Elementary Operators
- Distributivity of the Transformation
-
- Policy Transformation for Testing
- Putting Everything Together UPF
-
- Example
-
- Secure Service Specification
-
- Datatypes for Modelling Users and Roles
- Modelling Health Records and the Web Service API
- Modelling Access Control
- The State Transitions and Output Function
- Combine All Parts
-
- Instantiating Our Secure Service Example
-
- Access Control Configuration
- The Initial System State
- Basic Properties
-
- Conclusion and Related Work
-
- Related Work
- Conclusion Future Work
-
- Appendix
-
- Basic Monad Theory for Sequential Computations
-
- General Framework for Monad-based Sequence-Test
- Valid Test Sequences in the State Exception Monad
- Valid Test Sequences in the State Exception Backtrack Monad
-