# HG changeset patch # User chunhan # Date 1383092320 -28800 # Node ID 6f9a588bcfc4758e86c5763029467a25e09db6ee # Parent 0753309adfc7e8bbf57b411a39c59e65f8bf116c update diff -r 0753309adfc7 -r 6f9a588bcfc4 Co2sobj_prop.thy --- a/Co2sobj_prop.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Co2sobj_prop.thy Wed Oct 30 08:18:40 2013 +0800 @@ -2105,11 +2105,6 @@ apply (drule cf2sfile_mkdir1, simp+) done -lemma same_inodes_Tainted: - "\f \ same_inode_files s f'; valid s\ \ (O_file f \ Tainted s) = (O_file f' \ Tainted s)" -apply (frule same_inode_files_prop8, frule same_inode_files_prop7) -apply (auto intro:has_same_inode_Tainted) -done lemma co2sobj_linkhard: "\valid (LinkHard p oldf f # s); alive (LinkHard p oldf f # s) obj\ @@ -2151,9 +2146,7 @@ simp:current_files_simps cf2sfiles_simps cf2sfile_simps cp2sproc_simps tainted_eq_Tainted same_inode_files_prop6 dest:is_file_in_current is_dir_in_current) - -(* should delete has_same_inode !?!?*) -by (auto simp:same_inode_files_def is_file_def has_same_inode_def split:if_splits option.splits) +done lemma co2sobj_kill: "\valid (Kill p p' # s); alive (Kill p p' # s) obj\ \ co2sobj (Kill p p' # s) obj = co2sobj s obj" diff -r 0753309adfc7 -r 6f9a588bcfc4 Current_prop.thy --- a/Current_prop.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Current_prop.thy Wed Oct 30 08:18:40 2013 +0800 @@ -67,15 +67,18 @@ lemma has_same_inode_in_current: "\has_same_inode s f f'; valid s\ \ f \ current_files s \ f' \ current_files s" -by (auto simp add:has_same_inode_def current_files_def) +by (auto simp add:has_same_inode_def current_files_def same_inode_files_def + is_file_def split:if_splits option.splits) + lemma has_same_inode_prop1: "\has_same_inode s f f'; is_file s f; valid s\ \ is_file s f'" -by (auto simp:has_same_inode_def is_file_def) +by (auto simp:has_same_inode_def same_inode_files_def is_file_def) lemma has_same_inode_prop1': "\has_same_inode s f f'; is_file s f'; valid s\ \ is_file s f" -by (auto simp:has_same_inode_def is_file_def) +by (auto simp:has_same_inode_def is_file_def same_inode_files_def + split:if_splits option.splits) lemma has_same_inode_prop2: "\has_same_inode s f f'; file_of_proc_fd s p fd = Some f; valid s\ \ is_file s f'" diff -r 0753309adfc7 -r 6f9a588bcfc4 Dynamic_static.thy --- a/Dynamic_static.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Dynamic_static.thy Wed Oct 30 08:18:40 2013 +0800 @@ -1,32 +1,10 @@ theory Dynamic_static imports Main Flask Static Init_prop Valid_prop Tainted_prop Delete_prop Co2sobj_prop S2ss_prop S2ss_prop2 + Temp begin context tainting_s begin -definition init_ss_eq:: "t_static_state \ t_static_state \ bool" (infix "\" 100) -where - "ss \ ss' \ ss \ ss' \ {sobj. is_init_sobj sobj \ sobj \ ss'} \ ss" - -lemma [simp]: "ss \ ss" -by (auto simp:init_ss_eq_def) - -definition init_ss_in:: "t_static_state \ t_static_state set \ bool" (infix "\" 101) -where - "ss \ sss \ \ ss' \ sss. ss \ ss'" - -lemma s2ss_included_sobj: - "\alive s obj; co2sobj s obj= Some sobj\ \ sobj \ (s2ss s)" -by (simp add:s2ss_def, rule_tac x = obj in exI, simp) - -lemma init_ss_in_prop: - "\s2ss s \ static; co2sobj s obj = Some sobj; alive s obj; init_obj_related sobj obj\ - \ \ ss \ static. sobj \ ss" -apply (simp add:init_ss_in_def init_ss_eq_def) -apply (erule bexE, erule conjE) -apply (rule_tac x = ss' in bexI, auto dest!:s2ss_included_sobj) -done - @@ -55,17 +33,6 @@ "is_inited s obj = (\ is_created s obj)" by (auto simp:is_created_def is_inited_def) -(* recorded in our static world *) -fun recorded :: "t_object \ bool" -where - "recorded (O_proc p) = True" -| "recorded (O_file f) = True" -| "recorded (O_dir f) = True" -| "recorded (O_node n) = False" (* cause socket is temperary not considered *) -| "recorded (O_shm h) = True" -| "recorded (O_msgq q) = True" -| "recorded _ = False" - @@ -95,6 +62,16 @@ sorry +(* recorded in our static world *) +fun recorded :: "t_object \ bool" +where + "recorded (O_proc p) = True" +| "recorded (O_file f) = True" +| "recorded (O_dir f) = True" +| "recorded (O_node n) = False" (* cause socket is temperary not considered *) +| "recorded (O_shm h) = True" +| "recorded (O_msgq q) = True" +| "recorded _ = False" lemma enrichability: "\valid s; \ obj \ objs. alive s obj \ is_created s obj \ recorded obj\ diff -r 0753309adfc7 -r 6f9a588bcfc4 Flask.thy --- a/Flask.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Flask.thy Wed Oct 30 08:18:40 2013 +0800 @@ -311,38 +311,6 @@ where "current_files \ = {f. \ i. inum_of_file \ f = Some i}" -definition has_same_inode :: "t_state \ t_file \ t_file \ bool" -where - "has_same_inode \ fa fb = - (\i. inum_of_file \ fa = Some i \ inum_of_file \ fb = Some i)" - -fun inum_of_socket :: "t_state \ (t_socket \ t_inode_num)" -where - "inum_of_socket [] = init_inum_of_socket" -| "inum_of_socket (CloseFd p fd # \) = - (inum_of_socket \) ((p, fd):= None)" -| "inum_of_socket (CreateSock p af st fd ino # \) = - (inum_of_socket \) ((p, fd) := Some ino)" -| "inum_of_socket (Accept p fd addr lport' fd' ino # \) = - (inum_of_socket \) ((p, fd') := Some ino)" -| "inum_of_socket (Clone p p' fds shms # \) = - (\ (p'', fd). if (p'' = p' \ fd \ fds) then inum_of_socket \ (p, fd) - else if (p'' = p') then None - else inum_of_socket \ (p'',fd))" -| "inum_of_socket (Execve p f fds # \) = - (\ (p', fd). if (p' = p \ fd \ fds) then inum_of_socket \ (p, fd) - else if (p' = p) then None - else inum_of_socket \ (p', fd))" -| "inum_of_socket (Kill p\<^isub>1 p\<^isub>2 # \) = - (\ (p, fd). if (p = p\<^isub>2) then None else inum_of_socket \ (p, fd) )" -| "inum_of_socket (Exit p # \) = - (\ (p', fd). if (p' = p) then None else inum_of_socket \ (p', fd))" -| "inum_of_socket (_ # \) = inum_of_socket \" - -definition current_sockets :: "t_state \ t_socket set" -where - "current_sockets \ = {s. \ i. inum_of_socket \ s = Some i}" - (* experimentary: for the delete obj's (file or socket) inode num, it is unnecessary for itag_of_inum to be NONE, cause this is the situation blocked by inum_of_file / inum_of_socket !!! *) (* delete a file, just recycle its inode num, but not destroy its inode \, so it is irrelative to these events, like closeFd, Rmdir, UnLink \*) fun itag_of_inum :: "t_state \ (t_inode_num \ t_inode_tag)" @@ -378,6 +346,41 @@ where "dir_is_empty \ f \ is_dir \ f \ \ (\ f'. f' \ current_files \ \ f \ f')" +definition same_inode_files :: "t_state \ t_file \ t_file set" +where + "same_inode_files s f \ if is_file s f then {f'. inum_of_file s f = inum_of_file s f'} else {}" + +definition has_same_inode :: "t_state \ t_file \ t_file \ bool" +where + "has_same_inode s fa fb \ fb \ same_inode_files s fa" + +fun inum_of_socket :: "t_state \ (t_socket \ t_inode_num)" +where + "inum_of_socket [] = init_inum_of_socket" +| "inum_of_socket (CloseFd p fd # \) = + (inum_of_socket \) ((p, fd):= None)" +| "inum_of_socket (CreateSock p af st fd ino # \) = + (inum_of_socket \) ((p, fd) := Some ino)" +| "inum_of_socket (Accept p fd addr lport' fd' ino # \) = + (inum_of_socket \) ((p, fd') := Some ino)" +| "inum_of_socket (Clone p p' fds shms # \) = + (\ (p'', fd). if (p'' = p' \ fd \ fds) then inum_of_socket \ (p, fd) + else if (p'' = p') then None + else inum_of_socket \ (p'',fd))" +| "inum_of_socket (Execve p f fds # \) = + (\ (p', fd). if (p' = p \ fd \ fds) then inum_of_socket \ (p, fd) + else if (p' = p) then None + else inum_of_socket \ (p', fd))" +| "inum_of_socket (Kill p\<^isub>1 p\<^isub>2 # \) = + (\ (p, fd). if (p = p\<^isub>2) then None else inum_of_socket \ (p, fd) )" +| "inum_of_socket (Exit p # \) = + (\ (p', fd). if (p' = p) then None else inum_of_socket \ (p', fd))" +| "inum_of_socket (_ # \) = inum_of_socket \" + +definition current_sockets :: "t_state \ t_socket set" +where + "current_sockets \ = {s. \ i. inum_of_socket \ s = Some i}" + definition is_tcp_sock :: "t_state \ t_socket \ bool" where "is_tcp_sock \ s \ (case (inum_of_socket \ s) of @@ -522,10 +525,6 @@ where "current_inode_nums \ = current_file_inums \ \ current_sock_inums \" -definition same_inode_files :: "t_state \ t_file \ t_file set" -where - "same_inode_files s f \ if is_file s f then {f'. inum_of_file s f = inum_of_file s f'} else {}" - fun flags_of_proc_fd :: "t_state \ t_process \ t_fd \ t_open_flags option" where "flags_of_proc_fd [] p fd = init_oflags_of_proc_fd p fd" diff -r 0753309adfc7 -r 6f9a588bcfc4 ROOT --- a/ROOT Thu Oct 24 09:42:35 2013 +0800 +++ b/ROOT Wed Oct 30 08:18:40 2013 +0800 @@ -34,4 +34,5 @@ session "s2ss" = "co2sobj" + options [document = false] theories - S2ss_prop \ No newline at end of file + S2ss_prop + S2ss_prop2 \ No newline at end of file diff -r 0753309adfc7 -r 6f9a588bcfc4 S2ss_prop.thy --- a/S2ss_prop.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/S2ss_prop.thy Wed Oct 30 08:18:40 2013 +0800 @@ -1875,9 +1875,9 @@ apply (rule_tac x = obj in exI, simp add:co2sobj_linkhard alive_linkhard) done -lemma has_same_inode_prop3: - "is_file s f \ has_same_inode s f f" -by (auto simp:is_file_def has_same_inode_def split:option.splits) +lemma same_inode_files_prop12: + "is_file s f \ f \ same_inode_files s f " +by (auto simp:is_file_def same_inode_files_def split:option.splits) definition update_s2ss_sfile_tainted:: "t_state \ t_static_state \ t_file \ bool \ t_static_state" where @@ -1900,12 +1900,11 @@ apply (simp add:s2ss_def) apply (tactic {*my_seteq_tac 1*}) apply (case_tac "obj = O_file f") -apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted has_same_inode_prop3 cf2sfiles_other) +apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted same_inode_files_prop12 cf2sfiles_other) apply (erule_tac obj = obj in co2sobj_some_caseD) apply (rule disjI2, simp, rule_tac x = obj in exI, simp add:co2sobj_truncate alive_simps) apply (case_tac "fa \ same_inode_files s f") apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted cf2sfiles_prop cf2sfiles_other) -apply (simp add:same_inode_files_prop7) apply (rule disjI2, simp, rule_tac x = obj in exI) apply (simp add:co2sobj_truncate is_file_simps) apply (rule disjI2, simp, rule_tac x = obj in exI) @@ -1916,7 +1915,7 @@ apply (simp add:co2sobj_truncate) apply (tactic {*my_setiff_tac 1*}) apply (rule_tac x = "O_file f" in exI) -apply (simp add:co2sobj.simps is_file_simps tainted_eq_Tainted cf2sfiles_other has_same_inode_prop3) +apply (simp add:co2sobj.simps is_file_simps tainted_eq_Tainted cf2sfiles_other same_inode_files_prop12) apply (tactic {*my_setiff_tac 1*}) apply (erule_tac obj = obj in co2sobj_some_caseD) apply (rule_tac x = obj in exI, simp add:co2sobj_truncate) @@ -1933,13 +1932,12 @@ apply (simp add:s2ss_def) apply (tactic {*my_seteq_tac 1*}) apply (case_tac "obj = O_file f") -apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted has_same_inode_prop3 cf2sfiles_other) +apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted same_inode_files_prop12 cf2sfiles_other) apply (erule_tac obj = obj in co2sobj_some_caseD) apply (rule disjI2, simp, rule conjI, rule_tac x = obj in exI, simp add:co2sobj_truncate alive_simps) apply (rule notI, simp add:co2sobj.simps split:option.splits) apply (case_tac "fa \ same_inode_files s f") apply (rule disjI1, simp add:co2sobj.simps tainted_eq_Tainted cf2sfiles_prop cf2sfiles_other) -apply (simp add:same_inode_files_prop7) apply (rule disjI2, simp, rule conjI, rule_tac x = obj in exI) apply (simp add:co2sobj_truncate is_file_simps) apply (rule notI, simp add:co2sobj_truncate is_file_simps) @@ -1956,7 +1954,7 @@ apply (rule notI, simp add:co2sobj.simps split:option.splits) apply (tactic {*my_setiff_tac 1*}) apply (rule_tac x = "O_file f" in exI) -apply (simp add:co2sobj.simps is_file_simps tainted_eq_Tainted cf2sfiles_other has_same_inode_prop3) +apply (simp add:co2sobj.simps is_file_simps tainted_eq_Tainted cf2sfiles_other same_inode_files_prop12) apply (tactic {*my_setiff_tac 1*}) apply (erule_tac obj = obj in co2sobj_some_caseD) apply (rule_tac x = obj in exI, simp add:co2sobj_truncate) diff -r 0753309adfc7 -r 6f9a588bcfc4 Static.thy --- a/Static.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Static.thy Wed Oct 30 08:18:40 2013 +0800 @@ -122,6 +122,122 @@ definition "init_static_state \ {sobj. \ obj. init_alive obj \ init_obj2sobj obj = Some sobj}" +(**************** translation from dynamic to static *******************) + +definition cf2sfile :: "t_state \ t_file \ t_sfile option" +where + "cf2sfile s f \ + case (parent f) of + None \ Some sroot + | Some pf \ if (is_file s f) + then (case (sectxt_of_obj s (O_file f), sectxt_of_obj s (O_dir pf), get_parentfs_ctxts s pf) of + (Some sec, Some psec, Some asecs) \ + Some (if (\ deleted (O_file f) s \ is_init_file f) then Init f else Created, sec, Some psec, set asecs) + | _ \ None) + else (case (sectxt_of_obj s (O_dir f), sectxt_of_obj s (O_dir pf), get_parentfs_ctxts s pf) of + (Some sec, Some psec, Some asecs) \ + Some (if (\ deleted (O_dir f) s \ is_init_dir f) then Init f else Created, sec, Some psec, set asecs) + | _ \ None)" + +definition cf2sfiles :: "t_state \ t_file \ t_sfile set" +where + "cf2sfiles s f \ {sf. \ f' \ (same_inode_files s f). cf2sfile s f' = Some sf}" + +(* here cf2sfile is passed with True, because, process' fds are only for files not dirs *) +definition cfd2sfd :: "t_state \ t_process \ t_fd \ t_sfd option" +where + "cfd2sfd s p fd \ + (case (file_of_proc_fd s p fd, flags_of_proc_fd s p fd, sectxt_of_obj s (O_fd p fd)) of + (Some f, Some flags, Some sec) \ (case (cf2sfile s f) of + Some sf \ Some (sec, flags, sf) + | _ \ None) + | _ \ None)" + + +definition cpfd2sfds :: "t_state \ t_process \ t_sfd set" +where + "cpfd2sfds s p \ {sfd. \ fd \ proc_file_fds s p. cfd2sfd s p fd = Some sfd}" + +definition ch2sshm :: "t_state \ t_shm \ t_sshm option" +where + "ch2sshm s h \ (case (sectxt_of_obj s (O_shm h)) of + Some sec \ + Some (if (\ deleted (O_shm h) s \ h \ init_shms) then Init h else Created, sec) + | _ \ None)" + +definition cph2spshs :: "t_state \ t_process \ t_sproc_sshm set" +where + "cph2spshs s p \ {(sh, flag)| sh flag h. (p, flag) \ procs_of_shm s h \ ch2sshm s h = Some sh}" + +definition cp2sproc :: "t_state \ t_process \ t_sproc option" +where + "cp2sproc s p \ (case (sectxt_of_obj s (O_proc p)) of + Some sec \ + Some (if (\ deleted (O_proc p) s \ p \ init_procs) then Init p else Created, sec, + cpfd2sfds s p, cph2spshs s p) + | _ \ None)" + +definition cm2smsg :: "t_state \ t_msgq \ t_msg \ t_smsg option" +where + "cm2smsg s q m \ (case (sectxt_of_obj s (O_msg q m)) of + Some sec \ + Some (if (\ deleted (O_msg q m) s \ m \ set (init_msgs_of_queue q)) then Init m else Created, + sec, O_msg q m \ tainted s) + | _ \ None)" + +fun cqm2sms:: "t_state \ t_msgq \ t_msg list \ (t_smsg list) option" +where + "cqm2sms s q [] = Some []" +| "cqm2sms s q (m#ms) = + (case (cqm2sms s q ms, cm2smsg s q m) of + (Some sms, Some sm) \ Some (sm#sms) + | _ \ None)" + +definition cq2smsgq :: "t_state \ t_msgq \ t_smsgq option" +where + "cq2smsgq s q \ (case (sectxt_of_obj s (O_msgq q), cqm2sms s q (msgs_of_queue s q)) of + (Some sec, Some sms) \ + Some (if (\ deleted (O_msgq q) s \ q \ init_msgqs) then Init q else Created, + sec, sms) + | _ \ None)" + +fun co2sobj :: "t_state \ t_object \ t_sobject option" +where + "co2sobj s (O_proc p) = + (case (cp2sproc s p) of + Some sp \ Some (S_proc sp (O_proc p \ tainted s)) + | _ \ None)" +| "co2sobj s (O_file f) = + Some (S_file (cf2sfiles s f) (O_file f \ tainted s))" +| "co2sobj s (O_dir f) = + (case (cf2sfile s f) of + Some sf \ Some (S_dir sf) + | _ \ None)" +| "co2sobj s (O_msgq q) = + (case (cq2smsgq s q) of + Some sq \ Some (S_msgq sq) + | _ \ None)" +| "co2sobj s (O_shm h) = + (case (ch2sshm s h) of + Some sh \ Some (S_shm sh) + | _ \ None)" +(* +| "co2sobj s (O_msg q m) = + (case (cq2smsgq s q, cm2smsg s q m) of + (Some sq, Some sm) \ Some (S_msg sq sm) + | _ \ None)" +*) +| "co2sobj s _ = None" + + +definition s2ss :: "t_state \ t_static_state" +where + "s2ss s \ {sobj. \ obj. alive s obj \ co2sobj s obj = Some sobj}" + + +(* ******************************************************** *) + + fun is_init_sfile :: "t_sfile \ bool" where "is_init_sfile (Init _, sec, psec,asec) = True" @@ -204,18 +320,6 @@ else (ss - {S_dir sf tag}) \ {S_dir sf' tag'})" *) -definition update_ss :: "t_static_state \ t_sobject \ t_sobject \ t_static_state" -where - "update_ss ss so so' \ if (is_many so) then ss \ {so'} else (ss - {so}) \ {so'}" - -definition add_ss :: "t_static_state \ t_sobject \ t_static_state" -where - "add_ss ss so \ ss \ {so}" - -definition del_ss :: "t_static_state \ t_sobject \ t_static_state" -where - "del_ss ss so \ if (is_many so) then ss else ss - {so}" - (* fun sparent :: "t_sfile \ t_sfile option" where @@ -487,147 +591,6 @@ | "\info_flow_sshm sp (pi,sec,fds,shms); info_flow_sproc_sshms shms shms'\ \ info_flow_sshm sp (pi',sec',fds',shms')" -definition update_ss_shms :: "t_static_state \ t_sproc \ bool \ t_static_state" -where - "update_ss_shms ss spfrom tag \ {sobj. \ sobj' \ ss. - (case sobj' of - S_proc sp tagp \ if (info_flow_sshm spfrom sp) - then if (is_many_sproc sp) - then (sobj = S_proc sp tagp \ sobj = S_proc sp (tagp \ tag)) - else (sobj = S_proc sp (tagp \ tag)) - else (sobj = S_proc sp tag) - | _ \ sobj = sobj')}" - - - -(* all reachable static states(sobjects set) *) -inductive_set static :: "t_static_state set" -where - s_init: "init_static_state \ static" -| s_execve: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; S_file sfs tagf \ ss; - (fi,fsec,pfsec,asecs) \ sfs; npctxt_execve pctxt fsec = Some pctxt'; - grant_execve pctxt fsec pctxt'; search_check_s pctxt (fi,fsec,pfsec,asecs) True; - inherit_fds_check_s pctxt' fds'; fds' \ fds\ - \ (update_ss ss (S_proc (pi, pctxt, fds, shms) tagp) - (S_proc (pi, pctxt', fds', {}) (tagp \ tagf))) \ static" -| s_clone: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; - permission_check pctxt pctxt C_process P_fork; - inherit_fds_check_s pctxt fds'; fds' \ fds; - inherit_shms_check_s pctxt shms'; shms' \ shms\ - \ (add_ss ss (S_proc (Created, pctxt, fds', shms') tagp)) \ static" -| s_kill: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; - S_proc (pi', pctxt', fds', shms') tagp' \ ss; - permission_check pctxt pctxt' C_process P_sigkill\ - \ (del_ss ss (S_proc (pi', pctxt', fds', shms') tagp')) \ static" -| s_ptrace: "\ss \ static; S_proc sp tagp \ ss; S_proc sp' tagp' \ ss; - permission_check (sextxt_of_sproc sp) (sectxt_of_sproc sp') C_process P_ptrace\ - \ (update_ss_shms (update_ss_shms ss sp tagp) sp' tagp') \ static" -| s_exit: "\ss \ static; S_proc sp tagp \ ss\ \ (del_ss ss (S_proc sp tagp)) \ static" -| s_open: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; S_file sfs tagf \ ss; sf \ sfs; - search_check_s pctxt sf True; \ is_creat_excl_flag flags; - oflags_check flags pctxt (sectxt_of_sfile sf); permission_check pctxt pctxt C_fd P_setattr\ - \ (update_ss ss (S_proc (pi, pctxt, fds, shms) tagp) - (S_proc (pi, pctxt, fds \ {(pctxt,flags,sf)}, shms) tagp)) \ static" -| s_open': "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; is_creat_excl_flag flags; - S_dir (pfi,fsec,pfsec,asecs) \ ss; search_check_s pctxt (pfi,fsec,pfsec,asecs) False; - nfsec = nfctxt_create pctxt fsec C_file; oflags_check flags pctxt nfsec; - permission_check pctxt fsec C_dir P_add_rename; permission_check pctxt pctxt C_fd P_setattr\ - \ (update_ss (add_ss ss (S_file {(Created, nfsec, Some fsec, asecs \ {fsec})} tagp)) - (S_proc (pi, pctxt, fds, shms) tagp) - (S_proc (pi, pctxt, fds \ {(pctxt, flags, (Created, nfsec, Some fsec, asecs \ {fsec}))}, shms) tagp) - ) \ static" -| S_readf: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; (fdctxt,flags,sf) \ fds; - permission_check pctxt fdctxt C_fd P_setattr; S_file sfs tagf \ ss; sf \ sfs; - permission_check pctxt (sectxt_of_sfile sf) C_file P_read; is_read_flag flags\ - \ (update_ss_shms ss (pi, pctxt,fds,shms) (tagp \ tagf)) \ static" -| S_writef: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; (fdctxt,flags,sf) \ fds; - permission_check pctxt fdctxt C_fd P_setattr; sf \ sfs; S_file sfs tagf \ ss; - permission_check pctxt (sectxt_of_sfile sf) C_file P_write; is_write_flag flags\ - \ (update_ss ss (S_file sfs tagf) (S_file sfs (tagp \ tagf))) \ static" -| S_unlink: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; - (Init f,fsec,Some pfsec,asecs) \ sfs; - search_check_s pctxt (Init f,fsec,Some pfsec,asecs) True; - permission_check pctxt fsec C_file P_unlink; - permission_check pctxt pfsec C_dir P_remove_name\ - \ ((ss - {S_file sfs tagf}) \ {S_file (sfs - {(Init f,fsec,Some pfsec,asecs)}) tagf}) \ static" -| S_rmdir: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; - S_dir (fi,fsec,Some pfsec,asecs) \ ss; - search_check_s pctxt (fi,fsec,Some pfsec,asecs) False; - permission_check pctxt fsec C_dir P_rmdir; - permission_check pctxt pfsec C_dir P_remove_name\ - \ (del_ss ss (S_dir (fi,fsec,Some pfsec,asecs))) \ static" -| S_mkdir: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (fi,fsec,pfsec,asecs) \ ss; - search_check_s pctxt (fi,fsec,pfsec,asecs) False; - permission_check pctxt (nfctxt_create pctxt fsec C_dir) C_dir P_create; - permission_check pctxt fsec C_dir P_add_name\ - \ (add_ss ss (S_dir (Created,nfctxt_create pctxt fsec C_dir,Some fsec,asecs \ {fsec}))) \ static" -| s_link: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (pfi,pfsec,ppfsec,asecs) \ ss; - S_file sfs tagf \ ss; sf \ sfs; nfsec = nfctxt_create pctxt pfsec C_file; - search_check_s pctxt (pfi,pfsec,ppfsec,asecs) False; search_check_s pctxt sf True; - permission_check pctxt (sectxt_of_sfile sf) C_file P_link; - permission_check pctxt pfsec C_dir P_add_name\ - \ (update_ss ss (S_file sfs tagf) - (S_file (sfs \ {(Created,nfsec,Some pfsec, asecs \ {pfsec})}) tagf)) \ static" -| s_trunc: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; sf \ sfs; - search_check_s pctxt sf True; permission_check pctxt (sectxt_of_sfile sf) C_file P_setattr\ - \ (update_ss ss (S_file sfs tagf) (S_file sfs (tagf \ tagp))) \ static" -(* -| s_rename: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; - (sf#spf') \ sfs; S_dir spf tagpf \ ss; \((sf#spf') \ (sf#spf)); - search_check_s pctxt spf False; search_check_s pctxt (sf#spf') True; - sectxt_of_sfile (sf#spf') = Some fctxt; sectxt_of_sfile spf = Some pfctxt; - permission_check pctxt fctxt C_file P_rename; - permission_check pctxt pfctxt C_dir P_add_name; - ss_rename ss (sf#spf') (sf#spf) ss'; - ss_rename_no_same_fname ss (sf#spf') (sf#spf)\ - \ ss' \ static" -| s_rename': "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (sf#spf') tagf \ ss; - S_dir spf tagpf \ ss; \((sf#spf') \ (sf#spf)); - search_check_s pctxt spf False; search_check_s pctxt (sf#spf') True; - sectxt_of_sfile (sf#spf') = Some fctxt; sectxt_of_sfile spf = Some pfctxt; - permission_check pctxt fctxt C_dir P_reparent; - permission_check pctxt pfctxt C_dir P_add_name; - ss_rename ss (sf#spf') (sf#spf) ss'; - ss_rename_no_same_fname ss (sf#spf') (sf#spf)\ - \ ss' \ static" -*) -| s_createq: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; - permission_check pctxt pctxt C_msgq P_associate; - permission_check pctxt pctxt C_msgq P_create\ - \ (add_ss ss (S_msgq (Created,pctxt,[]))) \ static" -| s_sendmsg: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_msgq (qi,qctxt,sms) \ ss; - permission_check pctxt qctxt C_msgq P_enqueue; - permission_check pctxt qctxt C_msgq P_write; - permission_check pctxt pctxt C_msg P_create\ - \ (update_ss ss (S_msgq (qi,qctxt,sms)) - (S_msgq (qi,qctxt,sms @ [(Created, pctxt, tagp)]))) \ static" -| s_recvmsg: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; - S_msgq (qi,qctxt,(mi,mctxt,tagm)#sms) \ ss; - permission_check pctxt qctxt C_msgq P_read; - permission_check pctxt mctxt C_msg P_receive\ - \ (update_ss (update_ss_shms ss (pi,pctxt,fds,shms) (tagp \ tagm)) - (S_msgq (qi, qctxt, (mi, mctxt, tagm)#sms)) - (S_msgq (qi, qctxt, sms))) \ static" -| s_removeq: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_msgq (qi,qctxt,sms) \ ss; - permission_check pctxt qctxt C_msgq P_destroy\ - \ (del_ss ss (S_msgq (qi,qctxt,sms))) \ static" -| s_createh: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; - permission_check pctxt pctxt C_shm P_associate; - permission_check pctxt pctxt C_shm P_create\ - \ (add_ss ss (S_shm (Created, pctxt))) \ static" -| s_attach: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm (hi,hctxt) \ ss; - if flag = SHM_RDONLY then permission_check pctxt hctxt C_shm P_read - else (permission_check pctxt hctxt C_shm P_read \ - permission_check pctxt hctxt C_shm P_write)\ - \ (update_ss ss (S_proc (pi,pctxt,fds,shms) tagp) - (S_proc (pi,pctxt,fds,shms \ {((hi,hctxt),flag)}) tagp)) \ static" -| s_detach: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm sh \ ss; - (sh,flag) \ shms; \ is_many_sshm sh\ - \ (update_ss ss (S_proc (pi,pctxt,fds,shms) tagp) - (S_proc (pi,pctxt,fds,shms - {(sh,flag)}) tagp)) \ static" -| s_deleteh: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm (hi,hctxt) \ ss; - permission_check pctxt hctxt C_shm P_destroy; \ is_many_sshm sh\ - \ (remove_sproc_sshm (del_ss ss (S_shm (hi,hctxt))) (hi,hctxt)) \ static" (* fun smsg_related :: "t_msg \ t_smsg list \ bool" @@ -672,144 +635,6 @@ *) | "init_obj_related _ _ = False" -fun tainted_s :: "t_static_state \ t_sobject \ bool" -where - "tainted_s ss (S_proc sp tag) = (S_proc sp tag \ ss \ tag = True)" -| "tainted_s ss (S_file sfs tag) = (S_file sfs tag \ ss \ tag = True)" -(* -| "tainted_s ss (S_msg (qi, sec, sms) (mi, secm, tag)) = - (S_msgq (qi, sec, sms) \ ss \ (mi,secm,tag) \ set sms \ tag = True)" -*) -| "tainted_s ss _ = False" - -(* -fun tainted_s :: "t_object \ t_static_state \ bool" -where - "tainted_s (O_proc p) ss = (\ sp. S_proc sp True \ ss \ sproc_related p sp)" -| "tainted_s (O_file f) ss = (\ sfs sf. S_file sfs True \ ss \ sf \ sfs \ sfile_related f sf)" -| "tainted_s (O_msg q m) ss = (\ sq. S_msgq sq \ ss \ smsgq_smsg_relatainted q m sq)" -| "tainted_s _ ss = False" -*) - -definition taintable_s :: "t_object \ bool" -where - "taintable_s obj \ \ ss \ static. \ sobj. tainted_s ss sobj \ init_obj_related sobj obj \ init_alive obj" - -definition deletable_s :: "t_object \ bool" -where - "deletable_s obj \ init_alive obj \ (\ ss \ static. \ sobj \ ss. \ init_obj_related sobj obj)" - -definition undeletable_s :: "t_object \ bool" -where - "undeletable_s obj \ init_alive obj \ (\ ss \ static. \ sobj \ ss. init_obj_related sobj obj)" - - -(**************** translation from dynamic to static *******************) - -definition cf2sfile :: "t_state \ t_file \ t_sfile option" -where - "cf2sfile s f \ - case (parent f) of - None \ Some sroot - | Some pf \ if (is_file s f) - then (case (sectxt_of_obj s (O_file f), sectxt_of_obj s (O_dir pf), get_parentfs_ctxts s pf) of - (Some sec, Some psec, Some asecs) \ - Some (if (\ deleted (O_file f) s \ is_init_file f) then Init f else Created, sec, Some psec, set asecs) - | _ \ None) - else (case (sectxt_of_obj s (O_dir f), sectxt_of_obj s (O_dir pf), get_parentfs_ctxts s pf) of - (Some sec, Some psec, Some asecs) \ - Some (if (\ deleted (O_dir f) s \ is_init_dir f) then Init f else Created, sec, Some psec, set asecs) - | _ \ None)" - -definition cf2sfiles :: "t_state \ t_file \ t_sfile set" -where - "cf2sfiles s f \ {sf. \ f' \ (same_inode_files s f). cf2sfile s f' = Some sf}" - -(* here cf2sfile is passed with True, because, process' fds are only for files not dirs *) -definition cfd2sfd :: "t_state \ t_process \ t_fd \ t_sfd option" -where - "cfd2sfd s p fd \ - (case (file_of_proc_fd s p fd, flags_of_proc_fd s p fd, sectxt_of_obj s (O_fd p fd)) of - (Some f, Some flags, Some sec) \ (case (cf2sfile s f) of - Some sf \ Some (sec, flags, sf) - | _ \ None) - | _ \ None)" - - -definition cpfd2sfds :: "t_state \ t_process \ t_sfd set" -where - "cpfd2sfds s p \ {sfd. \ fd \ proc_file_fds s p. cfd2sfd s p fd = Some sfd}" - -definition ch2sshm :: "t_state \ t_shm \ t_sshm option" -where - "ch2sshm s h \ (case (sectxt_of_obj s (O_shm h)) of - Some sec \ - Some (if (\ deleted (O_shm h) s \ h \ init_shms) then Init h else Created, sec) - | _ \ None)" - -definition cph2spshs :: "t_state \ t_process \ t_sproc_sshm set" -where - "cph2spshs s p \ {(sh, flag)| sh flag h. (p, flag) \ procs_of_shm s h \ ch2sshm s h = Some sh}" - -definition cp2sproc :: "t_state \ t_process \ t_sproc option" -where - "cp2sproc s p \ (case (sectxt_of_obj s (O_proc p)) of - Some sec \ - Some (if (\ deleted (O_proc p) s \ p \ init_procs) then Init p else Created, sec, - cpfd2sfds s p, cph2spshs s p) - | _ \ None)" - -definition cm2smsg :: "t_state \ t_msgq \ t_msg \ t_smsg option" -where - "cm2smsg s q m \ (case (sectxt_of_obj s (O_msg q m)) of - Some sec \ - Some (if (\ deleted (O_msg q m) s \ m \ set (init_msgs_of_queue q)) then Init m else Created, - sec, O_msg q m \ tainted s) - | _ \ None)" - -fun cqm2sms:: "t_state \ t_msgq \ t_msg list \ (t_smsg list) option" -where - "cqm2sms s q [] = Some []" -| "cqm2sms s q (m#ms) = - (case (cqm2sms s q ms, cm2smsg s q m) of - (Some sms, Some sm) \ Some (sm#sms) - | _ \ None)" - -definition cq2smsgq :: "t_state \ t_msgq \ t_smsgq option" -where - "cq2smsgq s q \ (case (sectxt_of_obj s (O_msgq q), cqm2sms s q (msgs_of_queue s q)) of - (Some sec, Some sms) \ - Some (if (\ deleted (O_msgq q) s \ q \ init_msgqs) then Init q else Created, - sec, sms) - | _ \ None)" - -fun co2sobj :: "t_state \ t_object \ t_sobject option" -where - "co2sobj s (O_proc p) = - (case (cp2sproc s p) of - Some sp \ Some (S_proc sp (O_proc p \ tainted s)) - | _ \ None)" -| "co2sobj s (O_file f) = - Some (S_file (cf2sfiles s f) (O_file f \ tainted s))" -| "co2sobj s (O_dir f) = - (case (cf2sfile s f) of - Some sf \ Some (S_dir sf) - | _ \ None)" -| "co2sobj s (O_msgq q) = - (case (cq2smsgq s q) of - Some sq \ Some (S_msgq sq) - | _ \ None)" -| "co2sobj s (O_shm h) = - (case (ch2sshm s h) of - Some sh \ Some (S_shm sh) - | _ \ None)" -(* -| "co2sobj s (O_msg q m) = - (case (cq2smsgq s q, cm2smsg s q m) of - (Some sq, Some sm) \ Some (S_msg sq sm) - | _ \ None)" -*) -| "co2sobj s _ = None" (***************** for backward proof when Instancing static objects ******************) @@ -863,10 +688,6 @@ where "new_childf pf \ = next_fname pf \ # pf" -definition s2ss :: "t_state \ t_static_state" -where - "s2ss s \ {sobj. \ obj. alive s obj \ co2sobj s obj = Some sobj}" - end end \ No newline at end of file diff -r 0753309adfc7 -r 6f9a588bcfc4 Tainted_prop.thy --- a/Tainted_prop.thy Thu Oct 24 09:42:35 2013 +0800 +++ b/Tainted_prop.thy Wed Oct 30 08:18:40 2013 +0800 @@ -36,7 +36,7 @@ | "Tainted (WriteFile p fd # s) = (case (file_of_proc_fd s p fd) of Some f \ if (O_proc p) \ Tainted s - then Tainted s \ {O_file f' | f'. has_same_inode s f f'} + then Tainted s \ {O_file f' | f'. f' \ same_inode_files s f} else Tainted s | None \ Tainted s)" | "Tainted (CloseFd p fd # s) = @@ -50,7 +50,7 @@ (if (O_file f \ Tainted s) then Tainted s \ {O_file f'} else Tainted s)" | "Tainted (Truncate p f len # s) = (if (len > 0 \ O_proc p \ Tainted s) - then Tainted s \ {O_file f' | f'. has_same_inode s f f'} + then Tainted s \ {O_file f' | f'. f' \ same_inode_files s f} else Tainted s)" | "Tainted (Attach p h flag # s) = (if (O_proc p \ Tainted s \ flag = SHM_RDWR) @@ -80,8 +80,9 @@ apply (drule seeds_in_init, case_tac obj, simp_all add:is_file_nil) apply (frule vd_cons, frule valid_Tainted_obj, simp, frule vt_grant_os, case_tac a) apply (auto simp:alive_simps split:if_splits option.splits t_object.splits - intro:has_same_inode_prop2 has_same_inode_prop1 procs_of_shm_prop2 + intro:same_inode_files_prop1 procs_of_shm_prop2 dest:info_shm_flow_in_procs) +apply (auto simp:same_inode_files_def is_file_def split:if_splits) done lemma Tainted_proc_in_current: @@ -161,6 +162,10 @@ qed qed +lemma has_same_inode_comm: + "has_same_inode s f f' = has_same_inode s f' f" +by (auto simp add:has_same_inode_def same_inode_files_def is_file_def) + lemma tainted_imp_Tainted: "obj \ tainted s \ obj \ Tainted s" apply (induct rule:tainted.induct) (* @@ -170,7 +175,7 @@ apply (rule disjI2, rule_tac x = flag' in exI, simp) apply ((rule impI)+, erule_tac x = p' in allE, simp) *) -apply (auto intro:info_flow_shm_Tainted dest:vd_cons) +apply (auto intro:info_flow_shm_Tainted simp:has_same_inode_def dest:vd_cons) apply (case_tac e, auto split:option.splits if_splits simp:alive_simps) done @@ -184,7 +189,8 @@ apply (induct s arbitrary:obj, simp add:t_init) apply (frule Tainted_in_current, simp+) apply (frule vt_grant_os, frule vd_cons, case_tac a) -apply (auto split:if_splits option.splits elim:Tainted_imp_tainted_aux_remain intro:tainted.intros) +apply (auto split:if_splits option.splits elim:Tainted_imp_tainted_aux_remain intro:tainted.intros + simp:has_same_inode_def) done lemma tainted_eq_Tainted: @@ -195,19 +201,43 @@ "\O_proc p \ tainted s; info_flow_shm s p p'; valid s\ \ O_proc p' \ tainted s" by (simp only:tainted_eq_Tainted info_flow_shm_Tainted) + +lemma same_inode_files_Tainted: + "\O_file f \ Tainted s; f' \ same_inode_files s f; valid s\ \ O_file f' \ Tainted s" +apply (induct s arbitrary:f f', simp add:same_inode_in_seeds has_same_inode_def) +apply (frule vt_grant_os, frule vd_cons, case_tac a) +prefer 6 +apply (simp split:if_splits option.splits add:same_inode_files_open current_files_simps) +prefer 8 +apply (frule Tainted_in_current, simp, simp add:alive.simps, drule is_file_in_current) +apply (auto simp add:same_inode_files_closefd split:option.splits if_splits)[1] +prefer 8 +apply (frule Tainted_in_current, simp, simp add:alive.simps, drule is_file_in_current) +apply (auto simp add:same_inode_files_unlink split:option.splits if_splits)[1] +prefer 10 +apply (auto split:if_splits option.splits simp:same_inode_files_linkhard current_files_simps)[1] +apply (drule Tainted_in_current, simp, simp add:alive.simps is_file_in_current) +apply (drule same_inode_files_prop5, simp) +apply (drule same_inode_files_prop5, drule_tac f' = list1 and f'' = f' in same_inode_files_prop4, simp, simp) + +apply (auto simp:same_inode_files_other split:if_splits) +apply (drule_tac f'' = f' and f' = f and f = fa in same_inode_files_prop4, simp+) +apply (drule_tac f'' = f' and f' = f and f = list in same_inode_files_prop4, simp+) +done + lemma has_same_inode_Tainted: "\O_file f \ Tainted s; has_same_inode s f f'; valid s\ \ O_file f' \ Tainted s" -apply (induct s arbitrary:f f', simp add:same_inode_in_seeds) -apply (frule vt_grant_os, frule vd_cons, case_tac a) -apply (auto split:if_splits option.splits simp:has_same_inode_def dest:iof's_im_in_cim) -apply (drule_tac obj = "O_file list2" in Tainted_in_current, simp, simp add:is_file_in_current) -done +by (simp add:has_same_inode_def same_inode_files_Tainted) lemma has_same_inode_tainted: "\O_file f \ tainted s; has_same_inode s f f'; valid s\ \ O_file f' \ tainted s" by (simp add:has_same_inode_Tainted tainted_eq_Tainted) - +lemma same_inodes_Tainted: + "\f \ same_inode_files s f'; valid s\ \ (O_file f \ Tainted s) = (O_file f' \ Tainted s)" +apply (frule same_inode_files_prop8, frule same_inode_files_prop7) +apply (auto intro:has_same_inode_Tainted) +done