theory SLE66 imports ISM_package --{* we build on the general ISM definitions *} begin ML {* Pretty.setmargin 169; quick_and_dirty:=false *} use_thy "../awe-0.4/Extensions/AWE" typedecl fn --{* function name *} typedecl dn --{* data object name *} datatype on = F fn | D dn --{* object name *} consts f_SN :: "fn" --{* the name of the function giving the serial number *} FTest0 :: "fn set" --{* the names of test functions of phase 0 *} FTest1 :: "fn set" --{* the names of test functions of phase 1 *} FTest :: "fn set" --{* the names of all test functions *} F_Sec :: "fn set" --{* the names of all security-relevant functions *} F_PSec :: "fn set" --{* the subset of @{term F_Sec} relevant for the processor *} F_ASec :: "fn set" --{* the names of @{term F_Sec} relevant for applications *} F_NSec :: "fn set" --{* the names of all non-security-relevant functions *} D_Sec :: "dn set" --{* the names of all security-relevant data objects *} D_PSec :: "dn set" --{* the subset of @{term D_Sec} relevant for the processor *} D_ASec :: "dn set" --{* the names of @{term D_Sec} relevant for applications *} D_NSec :: "dn set" --{* the names of all non-security-relevant data objects *} Sec :: "on set" --{* the names of all security-relevant objects *} defs FTest_def: "FTest \ FTest0 \ FTest1" F_ASec_def: "F_ASec \ F_Sec - F_PSec" D_ASec_def: "D_ASec \ D_Sec - D_PSec" F_NSec_def: "F_NSec \ -F_Sec" D_NSec_def: "D_NSec \ -D_Sec" Sec_def: "Sec \ {F fn |fn. fn \ F_Sec} \ {D dn |dn. dn \ D_Sec}" axioms f_SN_not_FTest: "f_SN \ FTest" lemmas f_SN_not_FTest [simp] lemma [simp]: "(- FTest0 \ - FTest) = (- FTest)" by (auto simp: FTest_def) lemma [simp]: "(- FTest1 \ - FTest) = (- FTest)" by (auto simp: FTest_def) datatype ph = P0 | P1 | P2 | Error typedecl val --{* data and function values *} consts SN :: val --{* serial number *} record chip_data = valF :: "fn \ val" valD :: "dn \ val" translations "chip_data" \ (type) "\valF :: fn \ val, valD :: dn \ val\" constdefs val :: "chip_data \ on \ val" "val s on \ case on of F fn \ valF s fn | D dn \ valD s dn" types SLE66_state = "ph \ chip_data" translations "SLE66_state" \ (type) "ph \ chip_data" constdefs fct :: "chip_data \ fn set" "fct s \ dom (valF s)" lemma dom_valF_fct [simp]: "f \ dom (valF s) = (f \ fct s)" by (auto simp: fct_def) lemma fct_upd_valF [simp]: "fct (s\valF := f\) = dom f" by(auto simp: fct_def) consts "output" :: "fn \ chip_data \ val" "change" :: "fn \ chip_data \ chip_data" "positive" :: "val \ bool" datatype interface = In | Out typedecl sb (* --{* subjects *}*) consts Pmf :: sb (* --{* processor manufacturer *}*) datatype message = Exec sb fn | Load sb fn val | Spy on --{* input *} | Val val | Ok | No --{* output *} consts subject :: "message \ sb" primrec "subject (Exec sb fn ) = sb" "subject (Load sb fn v) = sb" subsection "ISM definition" ism SLE66 = ports interface inputs \"{In}" outputs "{Out}" messages message states control ph init "P0" data chip_data name "s" transitions R00: P0 \ P1 pre "f \ fct s\FTest0", "positive (output f s)" in In "[Exec Pmf f]" out Out "[Ok]" post valF := "valF s|`(-FTest0)" R01: P0 \ P2 pre "f \ fct s\FTest1", "positive (output f s)" in In "[Exec Pmf f]" out Out "[Ok]" post valF := "valF s|`(-FTest)" R02: P0 \ Error pre "f \ fct s\FTest0", "\positive (output f s)" in In "[Exec Pmf f]" out Out "[No]" R03: P0 \ P0 pre "f \ fct s - FTest" in In "[Exec Pmf f]" out Out "[Val (output f s)]" post "change f s" R04: P0 \ P0 pre "sb \ Pmf \ f \ fct s" in In "[Exec sb f]" out Out "[No]" R11: P1 \ P2 pre "f \ fct s\FTest1", "positive (output f s)" in In "[Exec Pmf f]" out Out "[Ok]" post valF := "valF s|`(-FTest1)" R12: P1 \ Error pre "f \ fct s\FTest1", "\positive (output f s)" in In "[Exec Pmf f]" out Out "[No]" R13: P1 \ P1 pre "f \ fct s - FTest1" in In "[Exec Pmf f]" out Out "[Val (output f s)]" post "change f s" R14: P1 \ P1 pre "sb \ Pmf \ f \ fct s" in In "[Exec sb f]" out Out "[No]" R21: P2 \ P2 pre "f \ fct s" in In "[Exec sb f]" out Out "[Val (output f s)]" post "change f s" R22: P2 \ P2 pre "f \ fct s" in In "[Exec sb f]" out Out "[No]" R31: Error \ Error pre "f_SN \ fct s" in In "[Exec sb f_SN]" out Out "[Val SN]" R32: Error \ Error pre "f \ fct s\{f_SN}" in In "[Exec sb f]" out Out "[No]" R41: P1 \ P1 pre "f \ F_NSec \ (F_ASec - fct s)" in In "[Load Pmf f v]" out Out "[Ok]" post valF := "valF s(f\v)" R42: ph \ ph pre "f \ F_NSec \ (F_ASec - fct s) \ sb \ Pmf \ ph \ P1" in In "[Load sb f v]" out Out "[No]" R51: ph \ ph pre "on \ Sec", "ph \ Error" in In "[Spy on]" out Out "case val s on of None \ [] | Some v \ [Val v]" R52: ph \ Error pre "on \ Sec", "v \ {[],[Val (the (val s on))]}", "ph \ Error" in In "[Spy on]" out Out "v" post "any" R52':ph \ ph pre "on \ Sec", "ph \ Error" in In "[Spy on]" out Out "[]" R53: Error \ Error in In "[Spy on]" out Out "[]" post "any" lemma trans_ism [simp]: "ism.trans ism = transs" by (simp add: ism_def ism.defs) constdefs unwind :: "SLE66_state \ on set \ SLE66_state \ bool" ("_/ ~_~/ _" [61, 61, 61] 60) "s ~A~ t \ fst s = fst t \ fct (snd s) = fct (snd t) \ (\on\A. val (snd s) on = val (snd t) on)" lemma unwind_def2: "(ph, s) ~A~ (ph',t) = (ph = ph' \ fct s = fct t \ (\fn. F fn \ A \ valF s fn = valF t fn) \ (\dn. D dn \ A \ valD s dn = valD t dn))" by (auto simp add: unwind_def val_def split add: on.split) lemma unwind_ph_fct_D: "(ph, s) ~A~ (ph',t) \ ph = ph' \ fct s = fct t" by (simp add: unwind_def2) theorem noleak_Sec_determ: "\s t. \s ~-Sec~ t; s \ reach ism; ((p,s),c,(p' ,s')) \ transs; t \ reach ism; ((p,t),c,(p'',t')) \ transs; fst s' \ Error; fst t' \ Error\ \ p' = p'' \ s' ~-Sec~ t'" apply (clarsimp, frule unwind_ph_fct_D, clarify) apply (erule SLE66.transs.elims) apply (safe del: conjI IntI disjE UnE insertE) apply (erule_tac [!] SLE66.transs.elims, simp_all) oops end