Theory Parametrized_Dataplane_3_directed
section‹Parametrized dataplane protocol for directed protocols›
text‹This is an instance of the @{text "Parametrized_Dataplane_2"} model, specifically for protocols
that authorize paths in an undirected fashion. We specialize the @{text "hf_valid_generic"} check
to a still parametrized, but more concrete @{text "hf_valid"} check. The rest of the parameters
remain abstract until a later instantiation with a concrete protocols (see the instances directory).
While both the models for undirected and directed protocols import assumptions from the theory
@{text "Network_Assumptions"}, they differ in strength: the assumptions made by undirected protocols
are strictly weaker, since the entire forwarding path is authorized by each AS, and not only the
future path from the perspective of each AS.
In addition, the specific conditions that instances have to verify differs between the undirected
and the directed setting (compare the locales @{text "dataplane_3_undirected"} and
@{text "dataplane_3_directed"}).
This explains the need to split up the verification of the attacker event into two theories. Despite
the differences that concrete protocols may exhibit, these two theories suffice to show the crux
of the refinement proof. The instances merely have to show a set of static conditions›
theory Parametrized_Dataplane_3_directed
imports
"Parametrized_Dataplane_2" "Network_Assumptions" "infrastructure/Take_While_Update"
begin
subsection ‹Hop validation check, authorized segments, and path extraction.›
text‹First we define a locale that requires a number of functions. We will later extend this
to a locale @{text "dataplane_3_directed"}, which makes assumptions on how these functions operate.
We separate the assumptions in order to make use of some auxiliary definitions defined in this locale. ›
locale dataplane_3_directed_defs = network_assums_direct _ _ _ auth_seg0
for auth_seg0 :: "('ainfo × 'aahi ahi_scheme list) set" +
fixes hf_valid :: "'ainfo ⇒ 'uinfo
⇒ ('aahi, 'uhi) HF
⇒ ('aahi, 'uhi) HF option ⇒ bool"
and auth_restrict :: "'ainfo ⇒ 'uinfo ⇒ ('aahi, 'uhi) HF list ⇒ bool"
and extr :: "msgterm ⇒ 'aahi ahi_scheme list"
and extr_ainfo :: "msgterm ⇒ 'ainfo"
and term_ainfo :: "'ainfo ⇒ msgterm"
and terms_hf :: "('aahi, 'uhi) HF ⇒ msgterm set"
and terms_uinfo :: "'uinfo ⇒ msgterm set"
and upd_uinfo :: "'uinfo ⇒ ('aahi, 'uhi) HF ⇒ 'uinfo"
and no_oracle :: "'ainfo ⇒ 'uinfo ⇒ bool"
begin
abbreviation hf_valid_generic :: "'ainfo ⇒ 'uinfo
⇒ ('aahi, 'uhi) HF list
⇒ ('aahi, 'uhi) HF option
⇒ ('aahi, 'uhi) HF
⇒ ('aahi, 'uhi) HF option ⇒ bool" where
"hf_valid_generic ainfo uinfo pas pre hf nxt ≡ hf_valid ainfo uinfo hf nxt"
definition hfs_valid_prefix_generic ::
"'ainfo ⇒ 'uinfo ⇒ ('aahi, 'uhi) HF list ⇒ ('aahi, 'uhi) HF option ⇒ ('aahi, 'uhi) HF list ⇒
('aahi, 'uhi) HF option ⇒ ('aahi, 'uhi) HF list"where
"hfs_valid_prefix_generic ainfo uinfo pas pre fut nxt ≡
TWu.takeW (λ uinfo hf nxt . hf_valid ainfo uinfo hf nxt) upd_uinfo uinfo fut nxt"
declare hfs_valid_prefix_generic_def[simp]
sublocale dataplane_2_defs _ _ _ auth_seg0 hf_valid_generic hfs_valid_prefix_generic
auth_restrict extr extr_ainfo term_ainfo terms_hf terms_uinfo upd_uinfo
apply unfold_locales done
abbreviation hfs_valid where
"hfs_valid ainfo uinfo l nxt ≡ TWu.holds (hf_valid ainfo) upd_uinfo uinfo l nxt"
abbreviation hfs_valid_prefix where
"hfs_valid_prefix ainfo uinfo l nxt ≡ TWu.takeW (hf_valid ainfo) upd_uinfo uinfo l nxt"
abbreviation hfs_valid_None where
"hfs_valid_None ainfo uinfo l ≡ hfs_valid ainfo uinfo l None"
abbreviation hfs_valid_None_prefix where
"hfs_valid_None_prefix ainfo uinfo l ≡ hfs_valid_prefix ainfo uinfo l None"
abbreviation upds_uinfo where
"upds_uinfo ≡ foldl upd_uinfo"
abbreviation upds_uinfo_shifted where
"upds_uinfo_shifted uinfo l nxt ≡ TWu.upd_shifted upd_uinfo uinfo l nxt"
end
print_locale dataplane_3_directed_defs
locale dataplane_3_directed_ik_defs = dataplane_3_directed_defs _ _ _ _ hf_valid auth_restrict
extr extr_ainfo term_ainfo terms_hf _ upd_uinfo for
hf_valid :: "'ainfo ⇒ 'uinfo ⇒ ('aahi, 'uhi) HF ⇒ ('aahi, 'uhi) HF option ⇒ bool"
and auth_restrict :: "'ainfo => 'uinfo ⇒ ('aahi, 'uhi) HF list ⇒ bool"
and extr :: "msgterm ⇒ 'aahi ahi_scheme list"
and extr_ainfo :: "msgterm ⇒ 'ainfo"
and term_ainfo :: "'ainfo ⇒ msgterm"
and terms_hf :: "('aahi, 'uhi) HF ⇒ msgterm set"
and upd_uinfo :: "'uinfo ⇒ ('aahi, 'uhi) HF ⇒ 'uinfo"
+
fixes ik_add :: "msgterm set"
and ik_oracle :: "msgterm set"
begin
lemma auth_seg2_elem: "⟦(ainfo, hfs) ∈ (auth_seg2 uinfo); hf ∈ set hfs⟧
⟹ ∃nxt uinfo'. hf_valid ainfo uinfo' hf nxt ∧ auth_restrict ainfo uinfo hfs ∧ (ainfo, AHIS hfs) ∈ auth_seg0"
by (auto simp add: auth_seg2_def TWu.holds_takeW_is_identity dest!: TWu.holds_set_list)
lemma prefix_hfs_valid_prefix_generic:
"prefix (hfs_valid_prefix_generic ainfo uinfo pas pre fut nxt) fut"
by(auto intro: TWu.takeW_prefix)
lemma cons_hfs_valid_prefix_generic:
"⟦hf_valid_generic ainfo uinfo hfs (head pas) hf1 (head fut); hfs = (rev pas)@hf1 #fut;
m = ⦇AInfo = ainfo, UInfo = uinfo, past = pas, future = hf1 # fut, history = hist⦈⟧
⟹ hfs_valid_prefix_generic ainfo uinfo pas (head pas) (hf1 # fut) None =
hf1 # (hfs_valid_prefix_generic ainfo (upd_uinfo_pkt (fwd_pkt m)) (hf1#pas) (Some hf1) fut None)"
apply auto
apply(cases fut)
apply auto
by (auto simp add: TWu.takeW.simps)
print_locale dataplane_2_ik_defs
sublocale dataplane_2_ik_defs _ _ _ _ hfs_valid_prefix_generic auth_restrict extr extr_ainfo term_ainfo
terms_hf _ no_oracle hf_valid_generic upd_uinfo ik_add ik_oracle
by unfold_locales
end
subsection ‹Conditions of the parametrized model›
text‹We now list the assumptions of this parametrized model. ›
print_locale dataplane_3_directed_ik_defs
locale dataplane_3_directed = dataplane_3_directed_ik_defs _ _ _ _ _ no_oracle hf_valid auth_restrict
extr extr_ainfo term_ainfo _ upd_uinfo ik_add ik_oracle
for hf_valid :: "'ainfo ⇒ 'uinfo
⇒ ('aahi, 'uhi) HF
⇒ ('aahi, 'uhi) HF option ⇒ bool"
and auth_restrict :: "'ainfo => 'uinfo ⇒ ('aahi, 'uhi) HF list ⇒ bool"
and extr :: "msgterm ⇒ 'aahi ahi_scheme list"
and extr_ainfo :: "msgterm ⇒ 'ainfo"
and term_ainfo :: "'ainfo ⇒ msgterm"
and upd_uinfo :: "'uinfo ⇒ ('aahi, 'uhi) HF ⇒ 'uinfo"
and ik_add :: "msgterm set"
and ik_oracle :: "msgterm set"
and no_oracle :: "'ainfo ⇒ 'uinfo ⇒ bool" +
assumes COND_terms_hf:
"⟦hf_valid ainfo uinfo hf nxt; terms_hf hf ⊆ analz ik; no_oracle ainfo uinfo⟧
⟹ ∃hfs . hf ∈ set hfs ∧ (∃uinfo' . (ainfo, hfs) ∈ (auth_seg2 uinfo'))"
and COND_honest_hf_analz:
"⟦ASID (AHI hf) ∉ bad; hf_valid ainfo uinfo hf nxt; terms_hf hf ⊆ synth (analz ik);
no_oracle ainfo uinfo⟧
⟹ terms_hf hf ⊆ analz ik"
and COND_path_prefix_extr:
"prefix (AHIS (hfs_valid_prefix ainfo uinfo l nxt))
(extr_from_hd l)"
and COND_extr_prefix_path:
"⟦hfs_valid ainfo uinfo l nxt; auth_restrict ainfo uinfo l; nxt = None⟧
⟹ prefix (extr_from_hd l) (AHIS l)"
and COND_hf_valid_uinfo:
"⟦hf_valid ainfo uinfo hf nxt; hf_valid ainfo' uinfo' hf nxt'⟧
⟹ uinfo' = uinfo"
and COND_upd_uinfo_ik:
"⟦terms_uinfo uinfo ⊆ synth (analz ik); terms_hf hf ⊆ synth (analz ik)⟧
⟹ terms_uinfo (upd_uinfo uinfo hf) ⊆ synth (analz ik)"
and COND_upd_uinfo_no_oracle:
"no_oracle ainfo uinfo ⟹ no_oracle ainfo (upd_uinfo uinfo fld)"
and COND_auth_restrict_upd:
"auth_restrict ainfo uinfo (hf1 # hf2 # xs) ⟹ auth_restrict ainfo (upd_uinfo uinfo hf2) (hf2 # xs)"
begin
lemma holds_path_eq_extr:
"⟦hfs_valid ainfo uinfo l nxt; auth_restrict ainfo uinfo l; nxt = None⟧ ⟹ extr_from_hd l = AHIS l"
using COND_extr_prefix_path COND_path_prefix_extr
by (metis TWu.holds_implies_takeW_is_identity prefix_order.eq_iff)
lemma upds_uinfo_no_oracle:
"no_oracle ainfo uinfo ⟹ no_oracle ainfo (upds_uinfo uinfo hfs)"
by (induction hfs rule: rev_induct, auto intro!: COND_upd_uinfo_no_oracle)
subsection ‹Lemmas that are needed for the refinement proof›
thm COND_upd_uinfo_ik COND_upd_uinfo_ik[THEN subsetD] subsetI
lemma upd_uinfo_ik_elem:
"⟦t ∈ terms_uinfo (upd_uinfo uinfo hf); terms_uinfo uinfo ⊆ synth (analz ik); terms_hf hf ⊆ synth (analz ik)⟧
⟹ t ∈ synth (analz ik)"
oops
lemma honest_hf_analz_subsetI:
"⟦t ∈ terms_hf hf; ASID (AHI hf) ∉ bad; hf_valid ainfo uinfo hf nxt; terms_hf hf ⊆ synth (analz ik);
no_oracle ainfo uinfo⟧
⟹ t ∈ analz ik"
using COND_honest_hf_analz subsetI by blast
lemma extr_from_hd_eq: "(l ≠ [] ∧ l' ≠ [] ∧ hd l = hd l') ∨ (l = [] ∧ l' = []) ⟹ extr_from_hd l = extr_from_hd l'"
apply (cases l)
apply auto
apply(cases l')
by auto
lemma path_prefix_extr_l:
"⟦hd l = hd l'; l' ≠ []⟧ ⟹ prefix (AHIS (hfs_valid_prefix ainfo uinfo l nxt))
(extr_from_hd l')"
using COND_path_prefix_extr extr_from_hd.elims list.sel(1) not_prefix_cases prefix_Cons prefix_Nil
by metis
lemma path_prefix_extr_l':
"⟦hd l = hd l'; l' ≠ []; hf = hd l'⟧ ⟹ prefix (AHIS (hfs_valid_prefix ainfo uinfo l nxt))
(extr (HVF hf))"
using COND_path_prefix_extr extr_from_hd.elims list.sel(1) not_prefix_cases prefix_Cons prefix_Nil
by metis
lemma auth_restrict_app:
assumes "auth_restrict ainfo uinfo p" "p = pre @ hf # post"
shows "auth_restrict ainfo (upds_uinfo_shifted uinfo pre hf) (hf # post)"
using assms proof(induction pre arbitrary: p uinfo hf)
case Nil
then show ?case using assms by (simp add: TWu.upd_shifted.simps(2))
next
case induct_asm: (Cons a prev)
show ?case
proof(cases prev)
case Nil
then have "auth_restrict ainfo (upd_uinfo uinfo hf) (hf # post)"
using induct_asm COND_auth_restrict_upd by simp
then show ?thesis
using induct_asm Nil by (auto simp add: TWu.upd_shifted.simps)
next
case cons_asm: (Cons b list)
then have "auth_restrict ainfo (upd_uinfo uinfo b) (b # list @ hf # post)"
using induct_asm(2-3) COND_auth_restrict_upd by auto
then show ?thesis
using induct_asm(1)
by (simp add: cons_asm TWu.upd_shifted.simps)
qed
qed
lemma hfs_valid_None_Cons:
assumes "hfs_valid_None ainfo uinfo p" "p = hf1 # hf2 # post"
shows "hfs_valid_None ainfo (upd_uinfo uinfo hf2) (hf2 # post)"
using assms apply auto
by(auto simp add: TWu.holds.simps(1))
lemma pfrag_extr_auth:
assumes "hf ∈ set p" and "(ainfo, p) ∈ (auth_seg2 uinfo)"
shows "pfragment ainfo (extr (HVF hf)) auth_seg0"
proof -
have p_verified: "hfs_valid_None ainfo uinfo p" "auth_restrict ainfo uinfo p"
using assms(2) auth_seg2_def TWu.holds_takeW_is_identity by fastforce+
obtain pre post where p_def: "p = pre @ hf # post" using assms(1) split_list by metis
then have hf_post_valid:
"hfs_valid_None ainfo (upds_uinfo_shifted uinfo pre hf) (hf # post)"
"auth_restrict ainfo (upds_uinfo_shifted uinfo pre hf) (hf # post)"
using p_verified by (auto intro: TWu.holds_intermediate auth_restrict_app)
then have "pfragment ainfo (AHIS (hf # post)) auth_seg0"
using assms(2) p_def by(auto intro!: pfragmentI[of _ "AHIS pre" _ "[]"] simp add: auth_seg2_def)
then have "pfragment ainfo (extr_from_hd (hf # post)) auth_seg0"
using holds_path_eq_extr[symmetric] hf_post_valid by metis
then show ?thesis by simp
qed
lemma X_in_ik_is_auth:
assumes "terms_hf hf1 ⊆ analz ik" and "no_oracle ainfo uinfo"
shows "pfragment ainfo (AHIS (hfs_valid_prefix ainfo uinfo
(hf1 # fut)
nxt))
auth_seg0"
proof -
let ?pFu = "hf1 # fut"
let ?takW = "(hfs_valid_prefix ainfo uinfo ?pFu nxt)"
have "prefix (AHIS (hfs_valid_prefix ainfo uinfo ?takW (TWu.extract (hf_valid ainfo) upd_uinfo uinfo ?pFu nxt)))
(extr_from_hd ?takW)"
by(auto simp add: COND_path_prefix_extr simp del: AHIS_def)
then have "prefix (AHIS ?takW) (extr_from_hd ?takW)"
by(simp add: TWu.takeW_takeW_extract)
moreover from assms have "pfragment ainfo (extr_from_hd ?takW) auth_seg0"
by (auto simp add: TWu.takeW_split_tail dest!: COND_terms_hf intro: pfrag_extr_auth)
ultimately show ?thesis
by(auto intro: pfragment_prefix elim!: prefixE)
qed
subsubsection ‹Fragment is extendable›
text ‹makes sure that: the segment is terminated, i.e. the leaf AS's HF has Eo = None›
fun terminated2 :: "('aahi, 'uhi) HF list ⇒ bool" where
"terminated2 (hf#xs) ⟷ DownIF (AHI hf) = None ∨ ASID (AHI hf) ∈ bad"
| "terminated2 [] = True"
lemma terminated20: "terminated (AHIS m) ⟹ terminated2 m" by(induction m, auto)
lemma cons_snoc: "∃y ys. x # xs = ys @ [y]"
by (metis append_butlast_last_id rev.simps(2) rev_is_Nil_conv)
lemma terminated2_suffix:
"⟦terminated2 l; l = zs @ x # xs; DownIF (AHI x) ≠ None; ASID (AHI x) ∉ bad⟧ ⟹ ∃y ys. zs = ys @ [y]"
by(cases "zs")
(fastforce intro: cons_snoc)+
lemma attacker_modify_cutoff: "⟦(info, zs@hf#ys) ∈ auth_seg0; ASID hf = a;
ASID hf' = a; UpIF hf' = UpIF hf; a ∈ bad; ys' = hf'#ys⟧ ⟹ (info, ys') ∈ auth_seg0"
by(auto simp add: ASM_modify dest: ASM_cutoff)
lemma auth_seg2_terms_hf[elim]:
"⟦x ∈ terms_hf hf; hf ∈ set hfs; (ainfo, hfs) ∈ (auth_seg2 uinfo) ⟧ ⟹ x ∈ analz ik"
by(auto 3 4 simp add: ik_def)
lemma "⟦hfs_valid ainfo uinfo hfs nxt; hfs = pref @ [hf]⟧ ⟹ hf_valid ainfo (upds_uinfo uinfo pref) hf nxt"
apply auto
thm TWu.holds_append[where ?P="(hf_valid ainfo)", where ?upd=upd_uinfo]
apply(auto simp add: TWu.holds_append[where ?P="(hf_valid ainfo)", where ?upd=upd_uinfo])
apply(cases pref) apply auto
apply (simp add: TWu.holds.simps(2))
apply (simp add: TWu.holds.simps(2))
oops
text ‹This lemma proves that an attacker-derivable segment that starts with an attacker hop field,
and has a next hop field which belongs to an honest AS, when restricted to its valid prefix, is
authorized. Essentially this is the case because the hop field of the honest AS already contains
an interface identifier DownIF that points to the attacker-controlled AS. Thus, there must have been
some attacker-owned hop field on the original authorized path. Given the assumptions we make in the
directed setting, the attacker can make take a suffix of an authorized path, such that his hop field
is first on the path, and he can change his own hop field if his hop field is the first on the path,
thus, that segment is also authorized.›
lemma fragment_with_Eo_Some_extendable:
assumes "terms_hf hf2 ⊆ synth (analz ik)"
and "ASID (AHI hf1) ∈ bad"
and "ASID (AHI hf2) ∉ bad"
and "hf_valid ainfo uinfo hf1 (Some hf2)"
and "no_oracle ainfo uinfo"
shows
"pfragment ainfo
(ifs_valid_prefix pre'
(AHIS (hfs_valid_prefix ainfo uinfo
(hf1 # hf2 # fut)
None))
None)
auth_seg0"
proof(cases)
assume "hf_valid ainfo (upd_uinfo uinfo hf2) hf2 (head fut)
∧ if_valid (Some (AHI hf1)) (AHI hf2) (AHIo (head fut))"
then have hf2true: "hf_valid ainfo (upd_uinfo uinfo hf2) hf2 (head fut)"
"if_valid (Some (AHI hf1)) (AHI hf2) (AHIo (head fut))" by blast+
then have "∃ hfs uinfo' . hf2 ∈ set hfs ∧ (ainfo, hfs) ∈ (auth_seg2 uinfo')"
using assms by(auto intro!: COND_terms_hf COND_upd_uinfo_no_oracle
elim!: honest_hf_analz_subsetI)
then obtain hfs uinfo' where hfs_def:
"hf2 ∈ set hfs" "(ainfo, hfs) ∈ (auth_seg2 uinfo')" "hfs_valid_None ainfo uinfo' hfs"
"no_oracle ainfo uinfo'"
using COND_terms_hf by(auto simp add: auth_seg2_def TWu.holds_takeW_is_identity)
have termianted_hfs: "terminated2 hfs"
using hfs_def(2) by (auto simp add: auth_seg2_def ASM_terminated intro: terminated20)
have "∃pref hf1' ys . hfs = pref@[hf1']@(hf2#ys)"
using hf2true(2) assms(3) hfs_def(1) terminated2_suffix
by(fastforce dest: split_list intro: termianted_hfs)
then obtain pref hf1' ys where hfs_unfold: "hfs = pref@[hf1']@(hf2#ys)" by fastforce
have hf2_valid: "hf_valid ainfo (upds_uinfo uinfo' (tl (pref@[hf1', hf2]))) hf2 (head ys)"
and hf1'true: "hf_valid ainfo (upds_uinfo uinfo' (tl (pref@[hf1']))) hf1' (Some hf2)"
using hfs_def(3) hfs_unfold
apply(auto simp add: TWu.holds_append[where ?P="(hf_valid ainfo)", where ?upd=upd_uinfo])
apply (auto simp add: hfs_def hfs_unfold TWu.holds_unfold_prelnil tail_snoc TWu.holds.simps(1)
elim!: TWu.holds_unfold_prexnxt' intro: rev_exhaust[where ?xs=pref])
subgoal
apply(cases pref) apply auto
apply (metis TWu.holds.simps(1) TWu.holds.simps(2) head.elims)
by (metis TWu.holds.simps(1) TWu.holds.simps(2) head.elims)
subgoal
apply(cases pref) by (auto simp add: TWu.holds.simps)
done
have uinfo'_eq: "upd_uinfo uinfo hf2 = upds_uinfo uinfo' (tl (pref @ [hf1', hf2]))"
using hf2_valid hf2true(1) by(auto elim!: COND_hf_valid_uinfo)
then have uinfo'_eq2: "upd_uinfo uinfo hf2 = upd_uinfo (upds_uinfo uinfo' (tl (pref @ [hf1']))) hf2"
by(simp add: tl_append2)
have if_valid_hf2hf1': "if_valid (Some (AHI hf1')) (AHI hf2) (head (AHIS ys))"
apply(cases ys)
using assms(3) hfs_def(2) ASM_if_valid TW.holds_unfold_prexnxt' TW.holds_unfold_prelnil
by(fastforce simp add: hfs_unfold auth_seg2_def)+
have "pfragment ainfo (AHIS (hfs_valid_prefix ainfo (upds_uinfo uinfo' (tl (pref@[hf1'])))
(hf1' # hf2 # fut)
None))
auth_seg0"
apply(rule X_in_ik_is_auth)
using hfs_def(1,2,4) assms(2,5)
by(fastforce simp add: hfs_unfold ik_def
intro!: upds_uinfo_no_oracle COND_upd_uinfo_no_oracle)+
then show ?thesis
apply-
apply(rule strip_ifs_valid_prefix)
apply(erule pfragment_self_eq_nil)
apply auto
apply(auto simp add: TWu.takeW_split_tail[where ?x=hf1'])
subgoal
using assms(2-4) hf2true(2) if_valid_hf2hf1' hf1'true
by(auto elim!: attacker_modify_cutoff[where ?hf'="AHI hf1"] simp add: TWu.takeW_split_tail uinfo'_eq2)
subgoal
using hf1'true by(auto)
done
next
assume hf2false: "¬(hf_valid ainfo (upd_uinfo uinfo hf2) hf2 (head fut)
∧ if_valid (Some (AHI hf1)) (AHI hf2) (AHIo (head fut)))"
show ?thesis
proof(cases)
assume hf1_correct: "hf_valid ainfo uinfo hf1 (Some hf2)
∧ if_valid pre' (AHI hf1) (Some (AHI hf2))"
show ?thesis
proof(cases)
assume hf2_valid: "hf_valid ainfo (upd_uinfo uinfo hf2) hf2 (head fut)"
then have "¬if_valid (Some (AHI hf1)) (AHI hf2) (AHIo (head fut))" using hf2false by simp
then show ?thesis
using hf1_correct hf2_valid apply(auto)
using assms(2) by(auto simp add: TW.takeW_split_tail TWu.takeW_split_tail intro: ASM_singleton)
next
assume "¬hf_valid ainfo (upd_uinfo uinfo hf2) hf2 (head fut)"
then show ?thesis apply auto apply(cases fut)
using assms(2)
by(auto simp add: TW.takeW_split_tail[where ?x=hf1] TWu.takeW_split_tail TW.takeW.simps
intro: ASM_singleton intro!: strip_ifs_valid_prefix)
qed
next
assume "¬ (hf_valid ainfo uinfo hf1 (Some hf2)
∧ if_valid pre' (AHI hf1) (Some (AHI hf2)))"
then show ?thesis
using hf2false apply auto
by (auto simp add: TW.takeW.simps TWu.takeW_split_tail[where ?x=hf1] TWu.takeW_split_tail[where ?x=hf2]
ASM_singleton assms(2) strip_ifs_valid_prefix)
qed
qed
subsubsection ‹A1 and A2 collude to make a wormhole›
text ‹We lift @{text "extend_pfragment0"} to DP2.›
lemma extend_pfragment2:
assumes "pfragment ainfo
(ifs_valid_prefix (Some (AHI hf1))
(AHIS (hfs_valid_prefix ainfo (upd_uinfo uinfo hf2)
(hf2 # fut)
nxt))
None)
auth_seg0"
assumes "hf_valid ainfo uinfo hf1 (Some hf2)"
assumes "ASID (AHI hf1) ∈ bad"
assumes "ASID (AHI hf2) ∈ bad"
shows "pfragment ainfo
(ifs_valid_prefix pre'
(AHIS (hfs_valid_prefix ainfo uinfo
(hf1 # hf2 # fut)
nxt))
None)
auth_seg0"
using assms
apply(auto simp add: TWu.takeW_split_tail[where ?P="hf_valid ainfo"])
apply(auto simp add: TWu.takeW_split_tail[where ?P="if_valid"] TWu.takeW.simps(1)
intro: ASM_singleton strip_ifs_valid_prefix intro!: extend_pfragment0)
by (simp add: TW.takeW_split_tail extend_pfragment0)
declare hfs_valid_prefix_generic_def[simp del]
text‹This is the central lemma that we need to prove to show the refinement between this model and
dp1. It states: If an attacker can synthesize a segment from his knowledge, and does not use a path
origin that was used to query the oracle, then the valid prefix of the segment is authorized. Thus,
the attacker cannot create any valid but unauthorized segments.›
lemma ik_seg_is_auth:
assumes "terms_pkt m ⊆ synth (analz ik)" and "future m = hfs" and "AInfo m = ainfo"
and "nxt = None" and "no_oracle ainfo uinfo"
shows "pfragment ainfo
(ifs_valid_prefix prev'
(AHIS (hfs_valid_prefix ainfo uinfo hfs nxt))
None)
auth_seg0"
using assms
proof(induction hfs nxt arbitrary: prev' m rule: TWu.takeW.induct[where ?Pa="hf_valid ainfo", where ?upd="upd_uinfo"])
case (1 _ _)
then show ?case using append_Nil ASM_empty pfragment_def Nil_is_map_conv TWu.takeW.simps(1) AHIS_def
by (metis TW.takeW.simps(1) hfs_valid_prefix_generic_def)
next
case (2 pre hf nxt)
then show ?case
proof(cases)
assume "ASID (AHI hf) ∈ bad"
then show ?thesis apply-
by(intro strip_ifs_valid_prefix)
(auto simp add: pfragment_def ASM_singleton TWu.takeW_singleton intro!: exI[of _ "[]"])
next
assume "ASID (AHI hf) ∉ bad"
then show ?thesis
apply(intro strip_ifs_valid_prefix) apply(cases m)
using 2 assms by (auto simp add: terms_pkt_def
simp del: AHIS_def intro!: X_in_ik_is_auth dest: COND_honest_hf_analz)
qed
next
case (3 info hf nxt)
then show ?case
by (intro strip_ifs_valid_prefix, simp add: TWu.takeW_singleton)
next
case (4 info hf1 hf2 xs nxt)
then show ?case
proof(cases)
assume hf1bad: "ASID (AHI hf1) ∈ bad"
then show ?thesis
proof(cases)
assume hf2bad: "ASID (AHI hf2) ∈ bad"
show ?thesis
apply(intro extend_pfragment2)
subgoal
apply (auto simp add: 4(6)) apply(cases m)
apply(rule 4(2)[simplified, where ?m1="fwd_pkt (upd_pkt m)"])
using 4(3-7) by (auto simp add: terms_pkt_def upd_pkt_def
intro: COND_upd_uinfo_no_oracle COND_upd_uinfo_ik[THEN subsetD])
using 4(1,3-5) ‹no_oracle ainfo uinfo› by(auto intro: hf1bad hf2bad)
next
assume "ASID (AHI hf2) ∉ bad"
then show ?thesis
using 4(1,4-7) hf1bad apply(simp add: hfs_valid_prefix_generic_def)
using 4(3)
by(auto 3 4 intro!: fragment_with_Eo_Some_extendable[simplified]
simp add: terms_pkt_def simp del: hfs_valid_prefix_generic_def AHIS_def)
qed
next
assume "ASID (AHI hf1) ∉ bad"
then show ?thesis
apply(intro strip_ifs_valid_prefix)
using 4(1,3-7) by(auto intro!: X_in_ik_is_auth simp del: AHIS_def simp add: terms_pkt_def
dest: COND_honest_hf_analz)
qed
next
case 5
then show ?case
by(intro strip_ifs_valid_prefix, simp add: TWu.takeW_two_or_more)
qed
lemma ik_seg_is_auth':
assumes "terms_pkt m ⊆ synth (analz ik)"
and "future m = hfs" and "AInfo m = ainfo" and "nxt = None" and "no_oracle ainfo uinfo"
shows "pfragment ainfo
(ifs_valid_prefix prev'
(AHIS (hfs_valid_prefix_generic ainfo uinfo pas pre hfs nxt))
None)
auth_seg0"
using ik_seg_is_auth hfs_valid_prefix_generic_def assms
by simp
print_locale dataplane_2
sublocale dataplane_2 _ _ _ _ hfs_valid_prefix_generic _ _ _ _ _ _ no_oracle _ _ hf_valid_generic upd_uinfo
apply unfold_locales
using ik_seg_is_auth' COND_upd_uinfo_ik COND_upd_uinfo_no_oracle
prefix_hfs_valid_prefix_generic cons_hfs_valid_prefix_generic apply auto
by (metis list.inject)
end
end