Theory Security

(*
Title: SIFUM-Type-Systems
Authors: Sylvia Grewe, Heiko Mantel, Daniel Schoepe
*)
header {* Definition of the SIFUM-Security Property *}

theory Security
imports Main Preliminaries
begin

context sifum_security begin

subsection {* Evaluation of Concurrent Programs *}

abbreviation eval_abv :: "('Com, 'Var, 'Val) LocalConf => (_, _, _) LocalConf => bool"
  (infixl "\<leadsto>" 70)
  where
  "x \<leadsto> y ≡ (x, y) ∈ eval"

abbreviation conf_abv :: "'Com => 'Var Mds => ('Var, 'Val) Mem => (_,_,_) LocalConf"
  ("⟨_, _, _⟩" [0, 0, 0] 1000)
  where
  "⟨ c, mds, mem ⟩ ≡ ((c, mds), mem)"

(* Evaluation of global configurations: *)
inductive_set meval :: "(_,_,_) GlobalConf rel"
  and meval_abv :: "_ => _ => bool" (infixl "->" 70)
  where
  "conf -> conf' ≡ (conf, conf') ∈ meval" |
  meval_intro [iff]: "[| (cms ! n, mem) \<leadsto> (cm', mem'); n < length cms |] ==>
  ((cms, mem), (cms [n := cm'], mem')) ∈ meval"

inductive_cases meval_elim [elim!]: "((cms, mem), (cms', mem')) ∈ meval"

(* Syntactic sugar for the reflexive-transitive closure of meval: *)
abbreviation meval_clos :: "_ => _ => bool" (infixl "->⇧*" 70)
  where
  "conf ->⇧* conf' ≡ (conf, conf') ∈ meval⇧*"

fun lc_set_var :: "(_, _, _) LocalConf => 'Var => 'Val => (_, _, _) LocalConf"
  where
  "lc_set_var (c, mem) x v = (c, mem (x := v))"

fun meval_k :: "nat => ('Com, 'Var, 'Val) GlobalConf => (_, _, _) GlobalConf => bool"
  where
  "meval_k 0 c c' = (c = c')" |
  "meval_k (Suc n) c c' = (∃ c''. meval_k n c c'' ∧ c'' -> c')"

(* k steps of evaluation (for global configurations: *)
abbreviation meval_k_abv :: "nat => (_, _, _) GlobalConf => (_, _, _) GlobalConf => bool"
  ("_ ->\<index> _" [100, 100] 80)
  where
  "gc ->⇘k ⇙gc' ≡ meval_k k gc gc'"

subsection {* Low-equivalence and Strong Low Bisimulations *}

(* Low-equality between memory states: *)
definition low_eq :: "('Var, 'Val) Mem => (_, _) Mem => bool" (infixl "=⇧l" 80)
  where
  "mem⇩1 =⇧l mem⇩2 ≡ (∀ x. dma x = Low --> mem⇩1 x = mem⇩2 x)"

(* Low-equality modulo a given mode state: *)
definition low_mds_eq :: "'Var Mds => ('Var, 'Val) Mem => (_, _) Mem => bool"
  ("_ =\<index>⇧l _" [100, 100] 80)
  where
  "(mem⇩1 =⇘mds⇙⇧l mem⇩2) ≡ (∀ x. dma x = Low ∧ x ∉ mds AsmNoRead --> mem⇩1 x = mem⇩2 x)"

(* Initial mode state: *)
definition "mds⇩s" :: "'Var Mds" where
  "mds⇩s x = {}"

lemma [simp]: "mem =⇧l mem' ==> mem =⇘mds⇙⇧l mem'"
  by (simp add: low_mds_eq_def low_eq_def)

lemma [simp]: "(∀ mds. mem =⇘mds⇙⇧l mem') ==> mem =⇧l mem'"
  by (auto simp: low_mds_eq_def low_eq_def)

(* Closedness under globally consistent changes: *)
definition closed_glob_consistent :: "(('Com, 'Var, 'Val) LocalConf) rel => bool"
  where
  "closed_glob_consistent \<R> =
  (∀ c⇩1 mds mem⇩1 c⇩2 mem⇩2. (⟨ c⇩1, mds, mem⇩1 ⟩, ⟨ c⇩2, mds, mem⇩2 ⟩) ∈ \<R> -->
   (∀ x. ((dma x = High ∧ x ∉ mds AsmNoWrite) -->
           (∀ v⇩1 v⇩2. (⟨ c⇩1, mds, mem⇩1 (x := v⇩1) ⟩, ⟨ c⇩2, mds, mem⇩2 (x := v⇩2) ⟩) ∈ \<R>)) ∧
         ((dma x = Low ∧ x ∉ mds AsmNoWrite) -->
           (∀ v. (⟨ c⇩1, mds, mem⇩1 (x := v) ⟩, ⟨ c⇩2, mds, mem⇩2 (x := v) ⟩) ∈ \<R>))))"

(* Strong low bisimulations modulo modes: *)
definition strong_low_bisim_mm :: "(('Com, 'Var, 'Val) LocalConf) rel => bool"
  where
  "strong_low_bisim_mm \<R> ≡
  sym \<R> ∧
  closed_glob_consistent \<R> ∧
  (∀ c⇩1 mds mem⇩1 c⇩2 mem⇩2. (⟨ c⇩1, mds, mem⇩1 ⟩, ⟨ c⇩2, mds, mem⇩2 ⟩) ∈ \<R> -->
   (mem⇩1 =⇘mds⇙⇧l mem⇩2) ∧
   (∀ c⇩1' mds' mem⇩1'. ⟨ c⇩1, mds, mem⇩1 ⟩ \<leadsto> ⟨ c⇩1', mds', mem⇩1' ⟩ -->
    (∃ c⇩2' mem⇩2'. ⟨ c⇩2, mds, mem⇩2 ⟩ \<leadsto> ⟨ c⇩2', mds', mem⇩2' ⟩ ∧
                  (⟨ c⇩1', mds', mem⇩1' ⟩, ⟨ c⇩2', mds', mem⇩2' ⟩) ∈ \<R>)))"

inductive_set mm_equiv :: "(('Com, 'Var, 'Val) LocalConf) rel"
  and mm_equiv_abv :: "('Com, 'Var, 'Val) LocalConf => 
  ('Com, 'Var, 'Val) LocalConf => bool" (infix "≈" 60)
  where
  "mm_equiv_abv x y ≡ (x, y) ∈ mm_equiv" |
  mm_equiv_intro [iff]: "[| strong_low_bisim_mm \<R> ; (lc⇩1, lc⇩2) ∈ \<R> |] ==> (lc⇩1, lc⇩2) ∈ mm_equiv"

inductive_cases mm_equiv_elim [elim]: "⟨ c⇩1, mds, mem⇩1 ⟩ ≈ ⟨ c⇩2, mds, mem⇩2 ⟩"

definition low_indistinguishable :: "'Var Mds => 'Com => 'Com => bool"
  ("_ ∼\<index> _" [100, 100] 80)
  where "c⇩1 ∼⇘mds⇙ c⇩2 = (∀ mem⇩1 mem⇩2. mem⇩1 =⇘mds⇙⇧l mem⇩2 -->
    ⟨ c⇩1, mds, mem⇩1 ⟩ ≈ ⟨ c⇩2, mds, mem⇩2 ⟩)"

subsection {* SIFUM-Security *}

(* SIFUM-security for commands: *)
definition com_sifum_secure :: "'Com => bool"
  where "com_sifum_secure c = c ∼⇘mds⇩s⇙ c"

definition add_initial_modes :: "'Com list => ('Com × 'Var Mds) list"
  where "add_initial_modes cmds = zip cmds (replicate (length cmds) mds⇩s)"

definition no_assumptions_on_termination :: "'Com list => bool"
  where "no_assumptions_on_termination cmds =
  (∀ mem mem' cms'.
    (add_initial_modes cmds, mem) ->⇧* (cms', mem') ∧
    list_all (λ c. c = stop) (map fst cms') -->
      (∀ mds' ∈ set (map snd cms'). mds' AsmNoRead = {} ∧ mds' AsmNoWrite = {}))"

(* SIFUM-security for programs: *)
definition prog_sifum_secure :: "'Com list => bool"
  where "prog_sifum_secure cmds =
  (no_assumptions_on_termination cmds ∧
   (∀ mem⇩1 mem⇩2. mem⇩1 =⇧l mem⇩2 -->
    (∀ k cms⇩1' mem⇩1'.
     (add_initial_modes cmds, mem⇩1) ->⇘k⇙ (cms⇩1', mem⇩1') -->
      (∃ cms⇩2' mem⇩2'. (add_initial_modes cmds, mem⇩2) ->⇘k⇙ (cms⇩2', mem⇩2') ∧
                      map snd cms⇩1' = map snd cms⇩2' ∧
                      length cms⇩2' = length cms⇩1' ∧
                      (∀ x. dma x = Low ∧ (∀ i < length cms⇩1'.
                        x ∉ snd (cms⇩1' ! i) AsmNoRead) --> mem⇩1' x = mem⇩2' x)))))"

subsection {* Sound Mode Use *}

definition doesnt_read :: "'Com => 'Var => bool"
  where
  "doesnt_read c x = (∀ mds mem c' mds' mem'.
  ⟨ c, mds, mem ⟩ \<leadsto> ⟨ c', mds', mem' ⟩ -->
  ((∀ v. ⟨ c, mds, mem (x := v) ⟩ \<leadsto> ⟨ c', mds', mem' (x := v) ⟩) ∨
   (∀ v. ⟨ c, mds, mem (x := v) ⟩ \<leadsto> ⟨ c', mds', mem' ⟩)))"

definition doesnt_modify :: "'Com => 'Var => bool"
  where
  "doesnt_modify c x = (∀ mds mem c' mds' mem'. (⟨ c, mds, mem ⟩ \<leadsto> ⟨ c', mds', mem' ⟩) -->
                        mem x = mem' x)"

(* Local reachability of local configurations: *)
inductive_set loc_reach :: "('Com, 'Var, 'Val) LocalConf => ('Com, 'Var, 'Val) LocalConf set"
  for lc :: "(_, _, _) LocalConf"
  where
  refl : "⟨fst (fst lc), snd (fst lc), snd lc⟩ ∈ loc_reach lc" |
  step : "[| ⟨c', mds', mem'⟩ ∈ loc_reach lc;
            ⟨c', mds', mem'⟩ \<leadsto> ⟨c'', mds'', mem''⟩ |] ==>
          ⟨c'', mds'', mem''⟩ ∈ loc_reach lc" |
  mem_diff : "[| ⟨ c', mds', mem' ⟩ ∈ loc_reach lc;
                (∀ x ∈ mds' AsmNoWrite. mem' x = mem'' x) |] ==>
              ⟨ c', mds', mem'' ⟩ ∈ loc_reach lc"

definition locally_sound_mode_use :: "(_, _, _) LocalConf => bool"
  where
  "locally_sound_mode_use lc =
  (∀ c' mds' mem'. ⟨ c', mds', mem' ⟩ ∈ loc_reach lc -->
    (∀ x. (x ∈ mds' GuarNoRead --> doesnt_read c' x) ∧
          (x ∈ mds' GuarNoWrite --> doesnt_modify c' x)))"

definition compatible_modes :: "('Var Mds) list => bool"
  where
  "compatible_modes mdss = (∀ (i :: nat) x. i < length mdss -->
    (x ∈ (mdss ! i) AsmNoRead -->
     (∀ j < length mdss. j ≠ i --> x ∈ (mdss ! j) GuarNoRead)) ∧
    (x ∈ (mdss ! i) AsmNoWrite -->
     (∀ j < length mdss. j ≠ i --> x ∈ (mdss ! j) GuarNoWrite)))"

definition reachable_mode_states :: "('Com, 'Var, 'Val) GlobalConf => (('Var Mds) list) set"
  where "reachable_mode_states gc =
  {mdss. (∃ cms' mem'. gc ->⇧* (cms', mem') ∧ map snd cms' = mdss)}"

definition globally_sound_mode_use :: "('Com, 'Var, 'Val) GlobalConf => bool"
  where "globally_sound_mode_use gc =
  (∀ mdss. mdss ∈ reachable_mode_states gc --> compatible_modes mdss)"

primrec sound_mode_use :: "(_, _, _) GlobalConf => bool"
  where
  "sound_mode_use (cms, mem) =
     (list_all (λ cm. locally_sound_mode_use (cm, mem)) cms ∧
      globally_sound_mode_use (cms, mem))"

(* We now show that mm_equiv itself forms a strong low bisimulation modulo modes: *)
lemma mm_equiv_sym:
  assumes equivalent: "⟨c⇩1, mds⇩1, mem⇩1⟩ ≈ ⟨c⇩2, mds⇩2, mem⇩2⟩"
  shows "⟨c⇩2, mds⇩2, mem⇩2⟩ ≈ ⟨c⇩1, mds⇩1, mem⇩1⟩"
proof -
  from equivalent obtain \<R>
    where \<R>_bisim: "strong_low_bisim_mm \<R> ∧ (⟨c⇩1, mds⇩1, mem⇩1⟩, ⟨c⇩2, mds⇩2, mem⇩2⟩) ∈ \<R>"
    by (metis mm_equiv.simps)
  hence "sym \<R>"
    by (auto simp: strong_low_bisim_mm_def)
  hence "(⟨c⇩2, mds⇩2, mem⇩2⟩, ⟨c⇩1, mds⇩1, mem⇩1⟩) ∈ \<R>"
    by (metis \<R>_bisim symE)
  thus ?thesis
    by (metis \<R>_bisim mm_equiv.intros)
qed

lemma low_indistinguishable_sym: "lc ∼⇘mds⇙ lc' ==> lc' ∼⇘mds⇙ lc"
  by (auto simp: mm_equiv_sym low_indistinguishable_def low_mds_eq_def)

lemma mm_equiv_glob_consistent: "closed_glob_consistent mm_equiv"
  unfolding closed_glob_consistent_def
  apply clarify
  apply (erule mm_equiv_elim)
  by (auto simp: strong_low_bisim_mm_def closed_glob_consistent_def)

lemma mm_equiv_strong_low_bisim: "strong_low_bisim_mm mm_equiv"
  unfolding strong_low_bisim_mm_def
proof (auto)
  show "closed_glob_consistent mm_equiv" by (rule mm_equiv_glob_consistent)
next
  fix c⇩1 mds mem⇩1 c⇩2 mem⇩2 x
  assume "⟨ c⇩1, mds, mem⇩1 ⟩ ≈ ⟨ c⇩2, mds, mem⇩2 ⟩"
  then obtain \<R> where
    "strong_low_bisim_mm \<R> ∧ (⟨ c⇩1, mds, mem⇩1 ⟩, ⟨ c⇩2, mds, mem⇩2 ⟩) ∈ \<R>"
    by blast
  thus "mem⇩1 =⇘mds⇙⇧l mem⇩2" by (auto simp: strong_low_bisim_mm_def)
next
  fix c⇩1 :: 'Com
  fix mds mem⇩1 c⇩2 mem⇩2 c⇩1' mds' mem⇩1'
  let ?lc⇩1 = "⟨ c⇩1, mds, mem⇩1 ⟩" and
      ?lc⇩1' = "⟨ c⇩1', mds', mem⇩1' ⟩" and
      ?lc⇩2 = "⟨ c⇩2, mds, mem⇩2 ⟩"
  assume "?lc⇩1 ≈ ?lc⇩2"
  then obtain \<R> where "strong_low_bisim_mm \<R> ∧ (?lc⇩1, ?lc⇩2) ∈ \<R>"
    by (rule mm_equiv_elim, blast)
  moreover assume "?lc⇩1 \<leadsto> ?lc⇩1'"
  ultimately show "∃ c⇩2' mem⇩2'. ?lc⇩2 \<leadsto> ⟨ c⇩2', mds', mem⇩2' ⟩ ∧ ?lc⇩1' ≈ ⟨ c⇩2', mds', mem⇩2' ⟩"
    by (simp add: strong_low_bisim_mm_def mm_equiv_sym, blast)
next
  show "sym mm_equiv"
    by (auto simp: sym_def mm_equiv_sym)
qed

end

end