Theory HuntSands

(*File: HuntSands.thy*)
(*Authors: Lennart Beringer and Martin Hofmann, LMU Munich 2008*)
theory HuntSands imports VDM Lattice begin
section‹Flow-sensitivity a la Hunt and Sands›

text‹\label{sec:HuntSands}\footnote{As the Isabelle theory representing this section is
dependent only on VDM.thy and Lattice.thy, name conflicts with
notions defined in Section \ref{sec:BaseLineNI} are avoided.} The
paper \<^cite>‹"HuntSands:POPL2006"› by Hunt and Sands presents a
generalisation of the type system of Volpano et al.~to
flow-sensitivity. Thus, programs such as $l:=h; l:=5$ are not rejected
any longer by the type system. Following the description in Section 4
of our paper~\<^cite>‹"BeringerHofmann:CSF2007"›, we embed Hunt and Sands'
type system into the program logic given in Section \ref{sec:VDM}.›

subsection‹General $A; R \Rightarrow S$-security›
text‹\label{sec:ARSsecurity}Again, we define the type $TT$ of
intermediate formulae $\Phi$, and an assertion operator
$\mathit{Sec}$. The latter is now parametrised not only by the
intermediate formulae but also by the (possibly differing) pre- and
post-relations $R$ and $S$ (both instantiated to $\approx$ in Section
\ref{sec:BaseLineNI}), and by a specification $A$ that directly links
pre- and post-states.›

type_synonym TT = "(State × State) ⇒ bool"

definition RSsecure::"(State ⇒ State ⇒ bool) ⇒
(State ⇒ State ⇒ bool) ⇒ IMP ⇒ bool"
where "RSsecure R S c = (∀ s t ss tt . R s t ⟶ (s,c ⇓ ss) ⟶
(t,c ⇓ tt) ⟶ S ss tt)"

definition ARSsecure::"VDMAssn ⇒ (State ⇒ State ⇒ bool) ⇒
(State ⇒ State ⇒ bool) ⇒ IMP ⇒ bool"
where "ARSsecure A R S c = ((⊨ c : A) ∧ RSsecure R S c)"

text‹Definition 3 of our paper follows.›

definition Sec :: "VDMAssn ⇒ (State ⇒ State ⇒ bool) ⇒
(State ⇒ State ⇒ bool) ⇒ TT ⇒ VDMAssn"
where "Sec A R S Φ s t = (A s t ∧
(∀ r . R s r ⟶ Φ(t,r)) ∧ (∀ r . Φ(r,s) ⟶ S r t))"

text‹With these definitions, we can prove Proposition 4 of our
paper.›

lemma Prop4A: "⊨ c : Sec A R S Φ ⟹ ARSsecure A R S c"
(*<*)
(*>*)

lemma Prop4B : "ARSsecure A R S c ⟹
⊨ c : Sec A R S (λ (r,t) . ∃ s . (s , c ⇓ r) ∧ R s t)"
(*<*)
apply clarsimp
apply rule apply fastforce
apply rule
apply (rule, rule) apply (rule_tac x=s in exI, rule, assumption+)
apply (rule, rule, erule exE, erule conjE) apply fast
done
(*>*)

subsection‹Basic definitions›

text‹Contexts map program variables to lattice elements.›

type_synonym "CONTEXT" = "Var ⇒ L"

definition upd ::"CONTEXT ⇒ Var ⇒ L ⇒ CONTEXT"
where "upd G x p = (λ y . if x=y then p else G y)"

text‹We also define the predicate $\mathit{EQ}$
%(in our paper denoted by the symbol $\ltimes$)
which expresses when two states agree on all
variables whose entry in a given context is below a certain security
level.›

definition EQ:: "CONTEXT ⇒ L ⇒ State ⇒ State ⇒ bool"
where "EQ G p = (λ s t . ∀ x . LEQ (G x) p ⟶  s x = t x)"

lemma EQ_LEQ: "⟦EQ G p s t; LEQ pp p⟧ ⟹ EQ G pp s t"
(*<*)
apply (erule_tac x=x in allE, erule mp)
apply (erule LAT2, assumption)
done
(*>*)

text‹The assertion called $\mathcal{Q}$ in our paper:›

definition Q::"L ⇒ CONTEXT ⇒ VDMAssn"
where "Q p H = (λ s t . ∀ x . (¬ LEQ p (H x)) ⟶ t x = s x)"

text‹$Q$ expresses the preservation of values in a single execution,
and corresponds to the first clause of Definition 3.2 in
\<^cite>‹"HuntSands:POPL2006"›. In accordance with this, the following
definition of security instantiates the $A$ position of $A; R \Rightarrow S$-security with $Q$, while the context-dependent binary
state relations are plugged in as the $R$ and $S$ components.›

definition secure :: "L ⇒ CONTEXT ⇒ IMP ⇒ CONTEXT ⇒ bool"
where "secure p G c H = (∀ q . ARSsecure (Q p H) (EQ G q) (EQ H q) c)"

text‹Indeed, one may show that this notion of security amounds to the
conjunction of a unary (i.e.~one-execution-)property and a binary
(i.e.~two-execution-) property, as expressed in Hunt \& Sands'
Definition 3.2.›

definition secure1 :: "L ⇒ CONTEXT ⇒ IMP ⇒ CONTEXT ⇒ bool"
where "secure1 p G c H = (∀ s t . (s,c ⇓ t) ⟶ Q p H s t)"

definition secure2 :: "L ⇒ CONTEXT ⇒ IMP ⇒ CONTEXT ⇒ bool"
where "secure2 p G c H = ((∀ s t ss tt . (s,c ⇓ t) ⟶ (ss,c ⇓ tt) ⟶
EQ G p s ss ⟶ EQ H p t tt))"

lemma secureEQUIV:
"secure p G c H = (∀ q . secure1 p G c H ∧ secure2 q G c H)"
(*>*)

subsection‹Type system›

text‹The type system of Hunt and Sands -- our language formalisation
uses a concrete datatype of expressions, so we add the obvious typing
rules for expressions and prove the expected evaluation lemmas.›

inductive_set HS_E:: "(CONTEXT × Expr × L) set"
where
HS_E_var: "(G, varE x, G x) : HS_E"
| HS_E_val: "(G, valE c, bottom) : HS_E"
| HS_E_op: "⟦(G, e1,p1):HS_E; (G, e2,p2):HS_E; p= LUB p1 p2⟧
⟹ (G,opE f e1 e2,p) : HS_E"
| HS_E_sup: "⟦(G,e,p):HS_E; LEQ p q⟧ ⟹ (G,e,q):HS_E"

lemma HS_E_eval[rule_format]:
"(G, e, t) ∈ HS_E ⟹
∀ r s q. EQ G q r s ⟶ LEQ t q ⟶ evalE e r = evalE e s"
(*<*)
apply (erule HS_E.induct)
apply clarsimp  apply (simp add: EQ_def)
apply clarsimp
apply clarsimp
apply (erule_tac x=r in allE, erule_tac x=r in allE)
apply (erule_tac x=s in allE, erule_tac x=s in allE)
apply (erule_tac x=q in allE, erule_tac x=q in allE, clarsimp)
apply (erule impE) apply (rule LAT2) prefer 2 apply assumption
apply (erule impE) apply (rule LAT2) prefer 2 apply assumption
apply (subgoal_tac "LEQ p2 (LUB p2 p1)")
apply clarsimp
apply clarsimp
apply (erule_tac x=r in allE, erule_tac x=s in allE, erule_tac x=qa in allE, erule impE)
apply clarsimp
apply (erule mp) apply (erule LAT2, assumption)
done
(*>*)

text‹Likewise for boolean expressions:›

inductive_set HS_B:: "(CONTEXT × BExpr × L) set"
where
HS_B_compB: "⟦(G, e1,p1):HS_E; (G, e2,p2):HS_E; p= LUB p1 p2⟧
⟹ (G,compB f e1 e2,p) : HS_B"
| HS_B_sup: "⟦(G,b,p):HS_B; LEQ p q⟧ ⟹ (G,b,q):HS_B"

lemma HS_B_eval[rule_format]:
"(G, b, t) ∈ HS_B ⟹
∀ r s pp . EQ G pp r s ⟶ LEQ t pp ⟶  evalB b r = evalB b s"
(*<*)
apply (erule HS_B.induct)
apply clarsimp
apply (subgoal_tac "evalE e1 r = evalE e1 s", clarsimp)
prefer 2 apply (erule HS_E_eval) apply assumption
apply (rule LAT2) prefer 2 apply assumption apply (simp add: LAT3)
apply (subgoal_tac "evalE e2 r = evalE e2 s", clarsimp)
apply (erule HS_E_eval) apply assumption
apply (rule LAT2) prefer 2 apply assumption
apply (subgoal_tac "LEQ p2 (LUB p2 p1)", simp add: LAT4)
apply clarsimp
apply (erule_tac x=r in allE, erule_tac x=s in allE, erule_tac x=pp in allE, erule impE)
apply clarsimp
apply (erule mp) apply (erule LAT2, assumption)
done
(*>*)

text‹The typing rules for commands follow.›

inductive_set HS::"(L × CONTEXT × IMP × CONTEXT) set"
where
HS_Skip:   "(p,G,Skip,G):HS"

| HS_Assign:
"(G,e,t):HS_E ⟹ (p,G,Assign x e,upd G x (LUB p t)):HS"

| HS_Seq:
"⟦(p,G,c,K):HS; (p,K,d,H):HS⟧ ⟹ (p,G, Comp c d,H):HS"

| HS_If:
"⟦(G,b,t):HS_B; (LUB p t,G,c,H):HS; (LUB p t,G,d,H):HS⟧ ⟹
(p,G,Iff b c d,H):HS"

| HS_If_alg:
"⟦(G,b,p):HS_B; (p,G,c,H):HS; (p,G,d,H):HS⟧ ⟹
(p,G,Iff b c d,H):HS"

| HS_While:
"⟦(G,b,t):HS_B; (LUB p t,G,c,H):HS;H=G⟧ ⟹
(p,G,While b c,H):HS"

| HS_Sub:
"⟦ (pp,GG,c,HH):HS; LEQ p pp; ∀ x . LEQ (G x) (GG x);
∀ x . LEQ (HH x) (H x)⟧ ⟹
(p,G,c,H):HS"

text ‹Using ‹HS_Sub›, rules ‹If› and ‹If_alg› are
inter-derivable.›

lemma IF_derivable_from_If_alg:
"⟦(G,b,t):HS_B; (LUB p t,G,c1,H):HS; (LUB p t,G,c2,H):HS⟧
⟹ (p,G,Iff b c1 c2,H):HS"
apply (subgoal_tac "(LUB p t,G,Iff b c1 c2,H):HS")
apply (erule HS_Sub) apply (rule LAT3)
apply (clarsimp, rule LAT6) apply (clarsimp, rule LAT6)
apply (rule HS_If_alg) apply (erule HS_B_sup)
apply (subgoal_tac "LEQ t (LUB t p)", simp add: LAT4)
apply (rule LAT3) apply assumption+
done

lemma IF_alg_derivable_from_If:
"⟦(G,b,p):HS_B; (p,G,c1,H):HS; (p,G,c2,H):HS⟧
⟹ (p,G,Iff b c1 c2,H):HS"
apply (erule HS_If) apply (subgoal_tac "LUB p p = p", clarsimp)
apply (subgoal_tac "p = LUB p p", fastforce) apply (rule LAT7)
apply (subgoal_tac "LUB p p = p", clarsimp)
apply (subgoal_tac "p = LUB p p", fastforce) apply (rule LAT7)
done

text‹An easy induction on typing derivations shows the following property.›

lemma HS_Aux1:
"(p,G,c,H):HS ⟹ ∀ x. LEQ (G x) (H x) ∨ LEQ p (H x)"
(*<*)
apply (erule HS.induct)
(*Skip*)
(*Assign*)
apply (simp add: upd_def) apply clarsimp apply rule
apply clarsimp apply (simp add: LAT3)
apply clarsimp apply (simp add: LAT6)
(*Seq*)
apply clarsimp
apply (erule_tac x=x in allE, erule disjE)
apply (erule_tac x=x in allE, erule disjE)
apply (erule LAT2) apply assumption apply fast
apply (erule_tac x=x in allE, erule disjE)
apply(subgoal_tac "LEQ p (H x)", fast)
apply (erule LAT2) apply assumption apply fast
(*If*)
apply clarsimp
apply (erule_tac x=x in allE, erule disjE) apply assumption
apply(subgoal_tac "LEQ p (H x)", fast)
apply (subgoal_tac "LEQ p (LUB p t)", rotate_tac -1)
apply (erule LAT2) apply assumption
apply (rule LAT3)
(*If2*)
apply clarsimp
(*While*)
apply clarsimp
(*Sub*)
apply clarsimp
apply (erule_tac x=x in allE, erule disjE)
apply (erule_tac x=x in allE)
apply (erule_tac x=x in allE)
apply (erule LAT2)
apply (erule LAT2) apply assumption
apply (erule_tac x=x in allE)
apply (erule LAT2)
apply (erule_tac x=x in allE)
apply (subgoal_tac "LEQ p (H x)", fast)
apply (erule LAT2)
apply (erule LAT2) apply assumption
done
(*>*)

subsection‹Derived proof rules›

text‹In order to show the derivability of the properties given in
Theorem 3.3 of Hunt and Sands' paper, we give the following derived
proof rules. By including the $Q$ property in the $A$ position of
$Sec$, we prove both parts of theorem in one proof, and can exploit
the first property ($Q$) in the proof of the second.›

lemma SKIP:
"X ⊳ Skip : Sec (Q p H) (EQ G q) (EQ G q)
(λ (s,t) . EQ G q s t)"
(*<*)
apply (rule VDMConseq, rule VDMSkip)
apply (simp add: Sec_def EQ_def Q_def)
done
(*>*)

lemma ASSIGN:
"⟦H = upd G x (LUB p t);
∀ s ss . EQ G t s ss ⟶ evalE e s = evalE e ss⟧
⟹ X ⊳ Assign x e : Sec (Q p H) (EQ G q) (EQ H q)
(λ (s,t) . ∃ r . s = update r x (evalE e r) ∧ EQ G q r t)"
(*<*)
apply (rule VDMConseq, rule VDMAssign) apply clarsimp
apply (simp add: Sec_def EQ_def Q_def)
apply (rule, clarsimp) apply (simp add: update_def upd_def)
apply (case_tac "x=xa", clarsimp) apply (simp add: LAT3)
apply clarsimp
apply (rule, clarsimp) apply (rule_tac x=s in exI, simp)
apply clarsimp
apply (case_tac "x=xa", clarsimp, hypsubst_thin)
apply (erule_tac x=ra in allE, erule_tac x=s in allE, erule mp, clarsimp)
apply (erule_tac x=x in allE, erule mp)
apply (erule LAT2, rule LAT2) prefer 2 apply assumption
apply (subgoal_tac "LEQ t (LUB t p)", simp add: LAT4)  apply (rule LAT3)
done
(*>*)

lemma COMP:
"⟦ X ⊳ c1 : Sec (Q p K) (EQ G q) (EQ K q) Φ;
X ⊳ c2 : Sec (Q p H) (EQ K q) (EQ H q) Ψ;
∀ x . LEQ (G x) (K x) ∨ LEQ p (K x);
∀ x . LEQ (K x) (H x) ∨ LEQ p (H x)⟧
⟹ X ⊳ Comp c1 c2 : Sec (Q p H) (EQ G q) (EQ H q)
(λ (x, y) . ∃ z . Φ (z, y) ∧
(∀ w . EQ K q z w ⟶ Ψ (x, w)))"
(*<*)
apply (rule VDMConseq, rule VDMComp, assumption, assumption, clarsimp)
apply (erule thin_rl, erule thin_rl)
apply (simp add: Sec_def, rule, clarsimp)
apply (rotate_tac 3, erule_tac x=x in allE, erule impE, assumption)
apply (erule_tac x=x in allE, clarsimp)
apply (erule_tac x=x in allE, clarsimp)
apply (subgoal_tac "LEQ p (H x)", fast)
apply (erule LAT2) apply assumption
apply (rule, clarsimp)
apply (rule_tac x=r in exI, simp)
apply clarsimp
done
(*>*)

text‹We distinguish, for any given $q$, \emph{parallel} conditionals
from \emph{diagonal} ones. Speaking operationally (i.e.~in terms of
two executions), conditionals of the former kind evaluate the branch
condition identically in both executions. The following rule
expresses this condition explicitly, in the first side condition. The
formula inside the $\mathit{Sec}$-operator of the conclusion resembles
the conclusion of the VDM rule for conditionals in that the formula
chosen depends on the outcome of the branch.›

lemma IF_PARALLEL:
"⟦ ∀ s ss . EQ G p s ss ⟶ evalB b s = evalB b ss;
∀ x. LEQ (G x) (H x) ∨ LEQ p (H x);
∃ x . LEQ p (H x) ∧ LEQ (H x) q;
X ⊳ c1 : Sec (Q p H) (EQ G q) (EQ H q) Φ;
X ⊳ c2 : Sec (Q p H) (EQ G q) (EQ H q) Ψ⟧
⟹ X ⊳ Iff b c1 c2 : Sec (Q p H) (EQ G q) (EQ H q)
(λ (r, u) . (evalB b u ⟶ Φ (r, u)) ∧
( (¬ evalB b u) ⟶ Ψ (r, u)))"
(*<*)
apply (rule VDMConseq, rule VDMIff) apply (assumption, assumption) apply clarsimp
apply (subgoal_tac "(∀x. ¬ LEQ p (H x) ⟶ t x = s x)", simp)
prefer 2 apply (case_tac "evalB b s", clarsimp,clarsimp)
apply (rule, clarsimp)
(*left component of Sec*)
apply (subgoal_tac "evalB b s = evalB b r")
prefer 2 apply (erule_tac x=s in allE, rotate_tac -1, erule_tac x=r in allE, erule mp)
apply (erule EQ_LEQ) apply (erule LAT2, assumption)
apply (case_tac "evalB b s")
apply clarsimp
apply clarsimp
(*right component of Sec*)
apply clarsimp
apply (case_tac "evalB b s")
apply clarsimp
apply clarsimp
done
(*>*)

text‹An alternative formulation replaces the first side condition
with a typing hypothesis on the branch condition, thus exploiting
lemma HS\_B\_eval.›

lemma IF_PARALLEL_tp:
"⟦ (G, b, p) ∈ HS_B; (p , G, c1, H) ∈ HS; (p, G, c2, H) ∈ HS;
∃ x . LEQ p (H x) ∧ LEQ (H x) q;
X ⊳ c1 : Sec (Q p H) (EQ G q) (EQ H q) Φ;
X ⊳ c2 : Sec (Q p H) (EQ G q) (EQ H q) Ψ⟧
⟹ X ⊳ Iff b c1 c2 : Sec (Q p H) (EQ G q) (EQ H q)
(λ (r, u) . (evalB b u ⟶ Φ (r, u)) ∧
( (¬ evalB b u) ⟶ Ψ (r, u)))"
(*<*)
apply (rule IF_PARALLEL)
apply (clarsimp, erule HS_B_eval) apply assumption apply (rule LAT6)
apply (erule HS_Aux1)
apply assumption+
done
(*>*)

text‹Diagonal conditionals, in contrast, capture cases where (from
the perspective of an observer at level $q$) the two executions may
evaluate the branch condition differently. In this case, the formula
inside the $\mathit{Sec}$-operator in the conclusion cannot depend
upon the branch outcome, so the least common denominator of the two
branches must be taken, which is given by the equality condition
w.r.t.~the post-context $H$. A side condition (the first one given in
the rule) ensures that indeed no information leaks during the
execution of either branch, by relating $G$ and $H$.›

lemma IF_DIAGONAL:
"⟦ ∀x. LEQ (G x) (H x) ∨ LEQ p (H x);
¬ (∃x. LEQ p (H x) ∧ LEQ (H x) q);
X ⊳ c1 : Sec (Q p H) (EQ G q) (EQ H q) Φ;
X ⊳ c2 : Sec (Q p H) (EQ G q) (EQ H q) Ψ⟧
⟹ X ⊳ Iff b c1 c2 : Sec (Q p H) (EQ G q) (EQ H q)
(λ (s,t). EQ H q s t)"
(*<*)
apply clarsimp
apply (rule VDMConseq, rule VDMIff) apply (assumption, assumption) apply clarsimp
apply (subgoal_tac "(∀x. ¬ LEQ p (H x) ⟶ t x = s x)", simp)
prefer 2 apply (case_tac "evalB b s")
apply clarsimp
apply clarsimp
apply (rule, clarsimp)
(*Left component*)
apply (simp (no_asm) add: EQ_def, clarsimp)
apply (case_tac "LEQ p (H x)") apply clarsimp
apply (rotate_tac -4, erule_tac x=x in allE, clarsimp)
apply (erule_tac x=x in allE, erule mp)
apply (rotate_tac -4, erule_tac x=x in allE, clarsimp)
apply (erule LAT2, assumption)
(*right component*)
apply clarsimp
apply (case_tac "LEQ p (H x)")
apply clarsimp
apply clarsimp
done
(*>*)

text‹Again, the first side condition of the rule may be replaced by a
typing condition, but now this condition is on the commands (instead
of the branch condition) -- in fact, a derivation for either branch
suffices.›

lemma IF_DIAGONAL_tp:
"⟦ (p, G, c1, H) ∈ HS ∨ (p, G, c2, H) ∈ HS;
¬ (∃x. LEQ p (H x) ∧ LEQ (H x) q);
X ⊳ c1 : Sec (Q p H) (EQ G q) (EQ H q) Φ;
X ⊳ c2 : Sec (Q p H) (EQ G q) (EQ H q) Ψ⟧
⟹ X ⊳ Iff b c1 c2 : Sec (Q p H) (EQ G q) (EQ H q)
(λ (s,t). EQ H q s t)"
(*<*)
apply (rule IF_DIAGONAL)
apply (erule disjE) apply (erule HS_Aux1) apply (erule HS_Aux1)
apply assumption+
done
(*>*)

text‹Obviously, given $q$, any conditional is either parallel or
diagonal as the second side conditions of the diagonal rules and the
parallel rules are exclusive.›

lemma if_algorithmic:
"⟦∃ x . LEQ p (H x) ∧ LEQ (H x) q;
¬ (∃x. LEQ p (H x) ∧ LEQ (H x) q)⟧
⟹ False"
(*<*) by simp (*>*)

text‹As in Section \ref{sec:BaseLineNI} we define a fixed point
construction, useful for the (parallel) while rule.›

definition FIX::"(TT ⇒ TT) ⇒ TT"
where "FIX φ = (λ (s,t). ∀ Φ . (∀ ss tt . φ Φ (ss, tt) ⟶ Φ (ss, tt))
⟶ Φ (s, t))"

text‹For monotone invariant transformers, the construction indeed
yields a fixed point.›

definition Monotone::"(TT ⇒ TT) ⇒ bool"
where "Monotone φ = (∀ Φ Ψ . (∀ s t . Φ(s,t) ⟶ Ψ(s,t)) ⟶
(∀ s t . φ Φ (s,t) ⟶ φ Ψ (s,t)))"

(*<*)
lemma Fix2: "⟦Monotone φ; φ (FIX φ) (s, t)⟧ ⟹ FIX φ (s,t)"
apply (simp add: FIX_def) apply clarsimp
apply (subgoal_tac "φ Φ (s,t)", simp)
apply (subgoal_tac "∀ r u . FIX φ (r,u) ⟶ Φ(r,u)")
prefer 2 apply (erule thin_rl) apply (simp add: FIX_def) apply clarsimp
apply (erule_tac x=Φ in allE, simp)
apply (unfold Monotone_def)
apply (erule_tac x="FIX φ" in allE, erule_tac x=Φ in allE)
apply (erule impE) apply assumption
done

lemma Fix1: "⟦Monotone φ; FIX φ (s,t)⟧ ⟹ φ (FIX φ) (s,t)"
apply (erule_tac x="φ(FIX φ)" in allE)
apply (erule impE)
prefer 2 apply (simp add: FIX_def)
apply (subgoal_tac "∀ r u . φ (FIX φ) (r,u) ⟶ FIX φ (r,u)")
prefer 2 apply clarsimp apply (erule Fix2) apply assumption
apply (unfold Monotone_def)
apply (erule_tac x="φ(FIX φ)" in allE, erule_tac x="FIX φ" in allE, erule impE) apply assumption
apply simp
done
(*>*)
lemma Fix_lemma:"Monotone φ ⟹ φ (FIX φ) = FIX φ"
(*<*)
apply (rule ext, rule iffI)
apply clarsimp apply (erule Fix2) apply assumption
apply clarsimp apply (erule Fix1) apply assumption
done
(*>*)

text‹Next, the definition of a while-operator.›

definition PhiWhilePOp::
"VDMAssn ⇒ BExpr ⇒ TT ⇒ TT ⇒ TT"
where "PhiWhilePOp A b Φ =
(λ Ψ . (λ(r, u). (evalB b u ⟶ (∃z. Φ (z, u) ∧
(∀w. A z w ⟶ Ψ (r, w)))) ∧
((¬ evalB b u) ⟶ A r u)))"

text‹This operator is monotone in $\Phi$.›

lemma PhiWhilePOp_Monotone:"Monotone (PhiWhilePOp A b Φ)"
(*<*)
apply (simp add: PhiWhilePOp_def Monotone_def) apply clarsimp
apply (rule_tac x=z in exI, simp)
done
(*>*)

text‹Therefore, we can define the following fixed point.›

definition PhiWhileP::"VDMAssn ⇒ BExpr ⇒ TT ⇒ TT"
where "PhiWhileP A b Φ = FIX (PhiWhilePOp A b Φ)"

text‹As as a function on $\phi$, this PhiWhileP is itself monotone
in $\phi$:›

lemma PhiWhilePMonotone: "Monotone (λ Φ . PhiWhileP A b Φ)"
(*<*)
apply (simp add: Monotone_def) apply clarsimp
apply (simp add: FIX_def) apply clarsimp
apply (erule_tac x=Φ' in allE, erule mp)
apply (clarsimp) apply (erule_tac x=ss in allE, erule_tac x=tt in allE, erule mp)
apply (simp add: PhiWhilePOp_def) apply clarsimp
apply (rule_tac x=z in exI, simp)
done
(*>*)

text‹Now the rule for parallel while loops, i.e.~loops where the
branch condition evaluates identically in both executions.›

lemma WHILE_PARALLEL:
"⟦ X ⊳ c : Sec (Q p G) (EQ G q) (EQ G q) Φ;
∀ s ss . EQ G p s ss ⟶ evalB b s = evalB b ss; LEQ p q⟧
⟹ X ⊳ While b c : Sec (Q p G) (EQ G q) (EQ G q)
(PhiWhileP (EQ G q) b Φ)"
(*<*)
apply (rule VDMConseq)
apply (rule VDMWhile)
prefer 4 apply (subgoal_tac "∀s t. Sec (Q p G) (EQ G q) (EQ G q) (PhiWhilePOp (EQ G q) b Φ (PhiWhileP (EQ G q) b Φ)) s t ∧ ¬ evalB b t ⟶ Sec (Q p G) (EQ G q) (EQ G q) (PhiWhileP (EQ G q) b Φ) s t") apply assumption
apply clarsimp apply (subgoal_tac "PhiWhilePOp (EQ G q) b Φ (PhiWhileP (EQ G q) b Φ) = PhiWhileP (EQ G q) b Φ", clarsimp)
apply (simp add: PhiWhileP_def) apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
apply assumption
apply clarsimp apply (simp add: Sec_def)
apply rule apply (simp add: Q_def)
apply (rule, clarsimp) apply (simp add: PhiWhilePOp_def) apply clarsimp
apply (erule_tac x=s in allE, erule_tac x=r in allE, erule impE) apply (erule EQ_LEQ) apply assumption apply clarsimp
apply clarsimp apply (simp add: PhiWhilePOp_def)
apply clarsimp apply (simp add: Sec_def)
apply rule apply clarsimp apply (simp add: Q_def)
apply rule
prefer 2 apply clarsimp
apply (subgoal_tac "∃r. Φ (r, s) ∧ (∀w. EQ G q r w ⟶ (PhiWhileP (EQ G q) b Φ) (ra, w))")
prefer 2 apply (simp add: PhiWhilePOp_def)
apply clarsimp apply (rotate_tac -3, erule thin_rl)
apply (rotate_tac -1, erule_tac x=ra in allE, erule mp)
apply (rotate_tac 1, erule_tac x=r in allE, erule impE) apply fast
apply (subgoal_tac "PhiWhilePOp (EQ G q) b Φ (PhiWhileP (EQ G q) b Φ) = PhiWhileP (EQ G q) b Φ", clarsimp)
apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
apply clarsimp
apply rule
prefer 2  apply clarsimp
apply (erule_tac x=s in allE, rotate_tac -1, erule_tac x=ra in allE, erule impE)
apply (erule EQ_LEQ) apply assumption apply clarsimp
apply clarsimp
apply (rotate_tac 2, erule_tac x=ra in allE, clarsimp)
apply (rule_tac x=r in exI, rule) apply simp
apply clarsimp
apply (rotate_tac 5, erule_tac x=w in allE, clarsimp)
apply (subgoal_tac "PhiWhilePOp (EQ G q) b Φ (PhiWhileP (EQ G q) b Φ) = PhiWhileP (EQ G q) b Φ", clarsimp)
apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
done
(*>*)

text‹The side condition regarding the evalution of the branch
condsition may be replaced by a typing hypothesis, thanks to lemma
‹HS_B_eval›.›

lemma WHILE_PARALLEL_tp:
"⟦ X ⊳ c : Sec (Q p G) (EQ G q) (EQ G q) Φ;
(G, b, p) ∈ HS_B; LEQ p q⟧
⟹ X ⊳ While b c : Sec (Q p G) (EQ G q) (EQ G q)
(PhiWhileP (EQ G q) b Φ)"
(*<*)
apply (erule WHILE_PARALLEL)
apply clarsimp
apply (erule HS_B_eval) apply assumption apply (rule LAT6)
apply assumption
done
(*>*)

text‹One may also give an inductive formulation of FIX:›

inductive_set var::"(BExpr × VDMAssn × TT × State × State) set"
where
varFalse:
"⟦¬ evalB b t; A s t⟧ ⟹ (b,A,Φ,s,t):var"
| varTrue:
"⟦evalB b t; Φ(r,t); (∀ w . A r w ⟶
(b,A,Φ,s,w): var) ⟧ ⟹ (b,A,Φ,s,t):var"

(*<*)
lemma varFIX: "(b,A,Φ,s,t):var ⟹ PhiWhileP A b Φ (s,t)"
apply (erule var.induct)
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) (s,t)")
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) = FIX (PhiWhilePOp A b Φ)", clarsimp)
apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) (s,t)")
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) = FIX (PhiWhilePOp A b Φ)", clarsimp)
apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
apply (rule_tac x=r in exI, simp)
apply clarsimp
apply (erule_tac x=w in allE, clarsimp)
done

lemma FIXvar: "PhiWhileP A b Φ (s,t) ⟹ (b,A,Φ,s,t):var"
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) (s, t)")
prefer 2
apply (subgoal_tac "PhiWhilePOp A b Φ (FIX (PhiWhilePOp A b Φ)) = FIX (PhiWhilePOp A b Φ)", clarsimp)
apply (rule Fix_lemma) apply (rule PhiWhilePOp_Monotone)
apply (erule thin_rl, simp add: PhiWhilePOp_def) apply clarsimp
apply (case_tac "evalB b t")
prefer 2 apply clarsimp apply (rule varFalse) apply assumption+
apply clarsimp apply (rule varTrue) apply assumption apply assumption
apply clarsimp apply (erule_tac x=w in allE, clarsimp)
apply (unfold FIX_def) apply clarify
apply (erule_tac x="λ (x,y) . (b,A,Φ,x,y):var" in allE, erule impE) prefer 2 apply simp
apply clarsimp
apply (case_tac "evalB b tt")
prefer 2 apply clarsimp apply (rule varFalse) apply assumption+
apply clarsimp apply (rule varTrue) apply assumption+
done
(*>*)

text‹The inductive formulation and the fixed point formulation are
equivalent.›
(*<*)
lemma varFIXvar: "(PhiWhileP A b Φ (s,t)) = ((b,A,Φ,s,t):var)"
apply rule
apply (erule FIXvar)
apply (erule varFIX)
done
(*>*)
(*<*)
lemma FIXvarFIX': "(PhiWhileP A b Φ) = (λ (s,t) . (b,A,Φ,s,t):var)"
apply (rule ext, rule iffI)
apply (case_tac x, clarsimp) apply (erule FIXvar)
apply (case_tac x, clarsimp) apply (simp add: varFIXvar)
done
(*>*)
lemma FIXvarFIX:
"PhiWhileP A b = (λ Φ . (λ (s,t) . (b,A,Φ,s,t):var))"
(*<*)
by (rule, rule FIXvarFIX')
(*>*)

text‹Thus, the above while rule may also be written using the
inductive formulation.›

lemma WHILE_PARALLEL_IND:
"⟦ X ⊳ c : Sec (Q p G) (EQ G q) (EQ G q) Φ;
∀ s ss . EQ G p s ss ⟶ evalB b s = evalB b ss; LEQ p q⟧ ⟹
X ⊳ While b c : (Sec (Q p G) (EQ G q) (EQ G q)
(λ (s,t) . (b,EQ G q,Φ,s,t):var))"
(*<*)
apply (rule VDMConseq)
apply (rule WHILE_PARALLEL) apply assumption+
apply clarsimp
done
(*>*)

text‹Again, we may replace the side condition regarding the branch
condition by a typing hypothesis.›

lemma WHILE_PARALLEL_IND_tp:
"⟦ X ⊳ c : Sec (Q p G) (EQ G q) (EQ G q) Φ;
(G, b, p) ∈ HS_B; LEQ p q ⟧ ⟹
X ⊳ (While b c) :
(Sec (Q p G) (EQ G q) (EQ G q) (λ (s,t) . (b,EQ G q,Φ,s,t):var))"
(*<*)
apply (erule WHILE_PARALLEL_IND)
apply clarsimp
apply (erule HS_B_eval) apply assumption apply (rule LAT6)
apply assumption
done
(*>*)
(*<*)
lemma varMonotoneAux[rule_format]:
"(b, A, Φ, s, t) ∈ var ⟹
(∀s t. Φ (s, t) ⟶ Ψ (s, t)) ⟶
(b, A, Ψ, s, t) ∈ var"
apply (erule var.induct)
apply clarsimp apply (erule varFalse, simp)
apply clarsimp apply (erule varTrue) apply fast apply simp
done
(*>*)
text‹Of course, the inductive formulation is also monotone:›

lemma var_MonotoneInPhi:
"Monotone (λ Φ . (λ (s,t) .(b,A, Φ,s,t):var))"
(*<*)
apply clarsimp
apply (rule varMonotoneAux) apply assumption apply simp
done
(*>*)
(*<*)
lemma varMonotone_byFIX: "Monotone (λ Φ . (λ (s,t) .(b,A, Φ,s,t):var))"
apply (subgoal_tac "Monotone (λ Φ . PhiWhileP A b Φ)")
apply (rule PhiWhilePMonotone)
done
(*>*)

text‹In order to derive a diagonal while rule, we directly define an
inductive relation that calculates the transitive closure of relation
$A$, such that all but the last state evaluate $b$ to
$\mathit{True}$.›

inductive_set varD::"(BExpr × VDMAssn × State × State) set"
where
varDFalse: "⟦¬ evalB b s; A s t⟧ ⟹ (b,A,s,t):varD"
| varDTrue: "⟦evalB b s; A s w; (b,A,w,t): varD ⟧ ⟹ (b,A,s,t):varD"

text‹Here is the obvious definition of transitivity for assertions.›

definition transitive::"VDMAssn ⇒ bool"
where "transitive P = (∀ x y z . P x y ⟶ P y z ⟶ P x z)"

text‹The inductive relation satisfies the following property.›

lemma varD_transitive[rule_format]:
"(b,A,s,t):varD ⟹ transitive A ⟶ A s t"
(*<*)
apply (erule varD.induct)
apply clarsimp
apply clarsimp
apply (unfold transitive_def) apply (erule_tac x=s in allE, erule_tac x=w in allE, erule_tac x=t in allE, simp)
done
(*>*)

text‹On the other hand, the assertion $\mathit{Q}$ defined above is transitive,›

lemma Q_transitive:"transitive (Q q G)"
(*<*)
(*>*)

text‹and is hence respected by the inductive closure:›

lemma varDQ:"(b,Q q G,s,t):varD ⟹ Q q G s t"
(*<*)by (erule varD_transitive,rule Q_transitive)(*>*)

text‹The diagonal while rule has a conclusion that is independent of
$\phi$.›

lemma WHILE_DIAGONAL:
"⟦X ⊳ c : Sec (Q p G) (EQ G q) (EQ G q) Φ; ¬ LEQ p q⟧
⟹ X ⊳ While b c : Sec (Q p G) (EQ G q) (EQ G q)
(λ (s,t). EQ G q s t)"
(*<*)
apply (subgoal_tac "∀x. LEQ p (G x) ⟶ ¬ LEQ (G x) q")
prefer 2 apply (case_tac "∀x. LEQ p (G x) ⟶ ¬ LEQ (G x) q", assumption) apply clarsimp
apply (subgoal_tac "LEQ p q", fast)
apply (erule LAT2, assumption)
apply (rule VDMConseq)
apply (insert VDMWhile)
apply (erule VDMWhile [of X c "Sec (Q p G) (EQ G q) (EQ G q) Φ" b "(λ s t . (b,Q p G,s,t):varD)"])
apply clarsimp apply (erule varDFalse) apply (simp add: Q_def)
apply clarsimp apply (simp add: Sec_def) apply clarsimp
apply (rule varDTrue) apply assumption prefer 2 apply assumption
apply (erule_tac x=s in allE, erule impE, simp add: EQ_def) apply assumption
apply clarsimp
apply rule apply (erule varDQ)
apply (rule, clarsimp)
apply (drule varDQ)  apply (simp add: Q_def EQ_def, clarsimp)
apply (case_tac "LEQ p (G x)") prefer 2 apply simp
apply (rotate_tac -1, drule LAT2) apply assumption apply fast
apply (drule varDQ)  apply (simp add: Q_def EQ_def, clarsimp)
apply (case_tac "LEQ p (G x)") prefer 2 apply simp
apply (rotate_tac -1, drule LAT2) apply assumption apply fast
done
(*>*)

text‹$\mathit{varD}$ is monotone in the assertion position.›

lemma varDMonotoneInAssertion[rule_format]:
"(b, A, s, t) ∈ varD ⟹
(∀s t. A s t ⟶ B s t) ⟶ (b, B, s, t) ∈ varD"
(*<*)
apply (erule varD.induct)
apply clarsimp apply (erule varDFalse) apply simp
apply clarsimp apply (erule varDTrue) prefer 2 apply assumption apply simp
done
(*>*)

(*<*)
text‹As $\mathit{varD}$ does not depend on $\Phi$, the monotonicity
property in this position is trivially fulfilled.›

lemma varDMonotoneInPhi[rule_format]:
"⟦(b, A, s, t) ∈ varD; ∀s t. Φ(s, t) ⟶ Ψ(s, t)⟧
⟹ (b, A, s, t) ∈ varD"
by simp
(*>*)

text‹Finally, the subsumption rule.›

lemma SUB:
"⟦ LEQ p pp; ∀x. LEQ (G x) (GG x); ∀x. LEQ (HH x) (H x);
X ⊳ c : Sec (Q pp HH) (EQ GG q) (EQ HH q) Φ⟧
⟹ X ⊳ c : Sec (Q p H) (EQ G q) (EQ H q) Φ"
(*<*)
apply (erule VDMConseq)
apply (simp add: Sec_def EQ_def, clarsimp)
apply (rule, simp add: Q_def, clarsimp)
apply (erule_tac x=x in allE, erule mp, clarsimp)
apply (subgoal_tac "LEQ p (H x)", fast)
apply (rotate_tac 2, erule_tac x=x in allE)
apply (erule LAT2)
apply (erule LAT2, assumption)
apply (rule, clarsimp)
apply (erule_tac x=r in allE, erule mp, clarsimp)
apply (erule_tac x=x in allE, erule mp)
apply (erule_tac x=x in allE, erule LAT2,assumption)
apply clarsimp
apply (erule_tac x=r in allE, erule impE, assumption)
apply (erule_tac x=x in allE, erule mp)
apply (erule_tac x=x in allE, erule LAT2, assumption)
done
(*>*)

subsection‹Soundness results›

(*<*)
definition Theorem3derivProp::"VDMAssn set ⇒ L ⇒ CONTEXT ⇒ IMP ⇒ CONTEXT ⇒ L ⇒ bool"
where "Theorem3derivProp X p G c H q = (∃ Φ . X ⊳ c : (Sec (Q p H) (EQ G q) (EQ H q) Φ))"

lemma Theorem3_derivAux[rule_format]:
"(p,G,c,H):HS ⟹ Theorem3derivProp X p G c H q"
apply (erule HS.induct)
(*Skip*)
apply (rule, rule SKIP)
(*Assign*)
apply (rule, rule ASSIGN[simplified]) apply simp
apply (clarsimp, erule HS_E_eval) apply assumption apply (rule LAT6)
(*COMP*)
apply clarsimp
apply (rule, rule COMP) apply (assumption, assumption) apply (erule HS_Aux1)
apply (erule HS_Aux1)
(*IFF*)
apply clarsimp
apply (subgoal_tac "(G, b, LUB p t) ∈ HS_B", erule thin_rl)
prefer 2 apply (erule HS_B_sup) apply (subgoal_tac "LEQ t (LUB t p)", simp add: LAT4) apply (rule LAT3)
apply (subgoal_tac "∃ psi. X ⊳ Iff b c d : Sec (Q (LUB p t) H) (EQ G q) (EQ H q) psi", clarsimp)
apply (rule_tac x=psi in exI, erule VDMConseq, clarsimp)
apply (erule_tac x=x in allE, erule mp, clarsimp)
apply (subgoal_tac "LEQ p (LUB p t)")
prefer 2 apply (rule LAT3)
apply (rotate_tac -1, drule LAT2) apply assumption apply simp
apply (case_tac "∃ x . LEQ (LUB p t) (H x) ∧ LEQ (H x) q")
apply (rule, erule IF_PARALLEL_tp) apply assumption+
apply (rule, rule IF_DIAGONAL) apply (erule HS_Aux1) apply assumption+
(*If2*)
apply clarsimp
apply (case_tac "∃ x . LEQ p (H x) ∧ LEQ (H x) q")
apply (rule, erule IF_PARALLEL_tp) apply assumption+
apply (rule, rule IF_DIAGONAL) apply (erule HS_Aux1) apply assumption+
(*While*)
apply clarsimp
apply (subgoal_tac "(G, b, LUB p t) ∈ HS_B", erule thin_rl)
prefer 2 apply (erule HS_B_sup) apply (subgoal_tac "LEQ t (LUB t p)", simp add: LAT4) apply (rule LAT3)
apply (subgoal_tac "∃ psi. X ⊳ While b c : Sec (Q (LUB p t) G) (EQ G q) (EQ G q) psi", clarsimp)
apply (rule_tac x=psi in exI, erule VDMConseq, clarsimp)
apply (erule_tac x=x in allE, erule mp, clarsimp)
apply (subgoal_tac "LEQ p (LUB p t)")
prefer 2 apply (rule LAT3)
apply (rotate_tac -1, drule LAT2) apply assumption apply simp
apply (case_tac "LEQ (LUB p t) q")
apply (rule, rule WHILE_PARALLEL) apply assumption
apply clarsimp apply (erule HS_B_eval)  apply assumption apply (rule LAT6) apply assumption
(*OTHER CASE*)
apply (rule, erule WHILE_DIAGONAL) apply assumption
(*Sub*)
apply clarsimp
apply (rule, erule SUB, assumption+)
done
(*>*)

text‹An induction on the typing rules now proves the main theorem
which was called Theorem 4 in~\<^cite>‹"BeringerHofmann:CSF2007"›.›

theorem Theorem4[rule_format]:
"(p,G,c,H):HS ⟹
(∃ Φ . X ⊳ c : (Sec (Q p H) (EQ G q) (EQ H q) Φ))"
(*<*)
by (drule Theorem3_derivAux, simp add: Theorem3derivProp_def)
(*>*)

text‹By the construction of the operator $\mathit{Sec}$ (lemmas
‹Prop4A› and ‹Prop4A› in Section \ref{sec:ARSsecurity}) we
obtain the soundness property with respect to the oprational
semantics, i.e.~the result stated as Theorem 3.3 in
\<^cite>‹"HuntSands:POPL2006"›.›

theorem HuntSands33: "(p,G,c,H):HS ⟹ secure p G c H"
(*<*)
apply (drule Theorem4, clarsimp)
apply (rule Prop4A)
apply (rule VDM_Sound_emptyCtxt)  apply fast
done
(*>*)

text ‹Both parts of this theorem may also be shown
individually. We factor both proofs by the program logic.›

lemma Sec1_deriv: "(p,G,c,H):HS ⟹ X ⊳ c : (Q p H)"
(*<*)
apply (drule Theorem4, clarsimp)
apply (erule VDMConseq)
apply (simp add: Sec_def) apply clarsimp
done
(*>*)

(*<*)
lemma
"(p,G,c,H):HS ⟹
X ⊳ c : (λ s t . ∀ x . ¬ LEQ p (H x) ⟶ s x = t x)"
apply (drule Sec1_deriv) apply (erule VDMConseq) apply (simp add: Q_def)
done
(*>*)

theorem HuntSands33_1:"(p,G,c,H):HS ⟹ secure1 p G c H"
(*<*)
apply (subgoal_tac "{} ⊳ c : Q p H")
apply (drule VDM_Sound)
apply (simp add: Q_def secure1_def valid_def VDM_valid_def Ctxt_valid_def)
apply (erule Sec1_deriv)
done(*>*)

lemma Sec2_deriv:
"(p,G,c,H):HS ⟹
(∃ A . X ⊳ c : (Sec (Q p H) (EQ G q) (EQ H q) A))"
(*<*)
by (drule Theorem4 [of p G c H "X" q], clarsimp)
(*>*)

(*<*)
lemma Sec2:
"(p,G,c,H):HS ⟹
(∃ Φ . ⊨ c : (Sec (Q p H) (EQ G q) (EQ H q) Φ))"
apply (drule Theorem4 [of p G c H "{}" q], clarsimp)
apply (rule_tac x=Φ in exI, erule VDM_Sound_emptyCtxt)
done
(*>*)

theorem HuntSands33_2: "(p,G,c,H):HS ⟹ secure2 q G c H"
(*<*)
apply (subgoal_tac "∀ q . ARSsecure (Q p H) (EQ G q) (EQ H q) c")
prefer 2 apply clarsimp
apply (drule Sec2_deriv[of p G c H "{}"], erule exE)
apply (rule Prop4A) apply (erule VDM_Sound_emptyCtxt)
apply (insert secureEQUIV [of p G c H]) apply (simp add: secure_def)
done
(*>*)

text‹Again, the call rule is formulated for an arbitrary fixed point
of a monotone transformer.›

lemma CALL:
"⟦ ({B} ∪ X) ⊳ body : Sec A R S (φ(FIX φ));
Monotone φ; B = Sec A R S (FIX φ) ⟧
⟹ X ⊳ Call : B"
(*<*)
apply (rule VDMCall)
apply (subgoal_tac "φ (FIX φ) = FIX φ", clarsimp)
apply (erule Fix_lemma)
done
(*>*)

(*<*)
text‹Monotonicity lemmas for the operators occurring in the derived proof rules.›
lemma SkipMonotone:"Monotone (λ T (s,t). EQ G p s t)"

lemma AssignMonotone:"Monotone (λ T (s,t). ∃r. s = update r x (evalE e r) ∧ EQ G p r t)"

lemma CompMonotone: "Monotone (λ T (s,t). ∃ r. A r t ∧ (∀w. EQ K q r w ⟶ B s w))"

lemma IfPMonotone1: "Monotone (λ T (s,t). (evalB b t ⟶ T(s,t)) ∧ (¬ evalB b t ⟶ B (s,t)))"

lemma IfPMonotone2: "Monotone (λ T (s,t). (evalB b t ⟶ A(s,t)) ∧ (¬ evalB b t ⟶ T (s,t)))"

lemma IfDMonotone:"Monotone (λ T (s,t). EQ G p s t)"

lemma WhileDMonotone: "Monotone (λ T (s,t). EQ G q s t)"

lemma SubMonotone: "Monotone (λT. T)"
(*>*)

text‹As in Section \ref{sec:BaseLineNI}, we define a formal derivation system
comprising all derived rules and show that all derivable judgements
are of the for $\mathit{Sec}(\Phi)$ for some monotone $\Phi$.›

inductive_set Deriv:: "(VDMAssn set × IMP × VDMAssn) set"
where
D_SKIP:
"Ω = (λ (s,t). EQ G q s t)
⟹ (X, Skip, Sec (Q p H) (EQ G q) (EQ G q) Ω) : Deriv"

| D_ASSIGN:
"⟦H = upd G x (LUB p t);
∀ s ss . EQ G t s ss ⟶ evalE e s = evalE e ss;
Ω = (λ (s, t) . ∃ r . s = update r x (evalE e r) ∧ EQ G q r t)⟧
⟹ (X, Assign x e, Sec (Q p H) (EQ G q) (EQ H q) Ω) : Deriv"

| D_COMP:
"⟦ (X, c, Sec (Q p K) (EQ G q) (EQ K q) Φ) : Deriv;
(X, d, Sec (Q p H) (EQ K q) (EQ H q) Ψ) : Deriv;
∀ x . LEQ (G x) (K x) ∨ LEQ p (K x);
∀ x . LEQ (K x) (H x) ∨ LEQ p (H x);
Ω = (λ (x, y) . ∃ z . Φ(z,y) ∧ (∀ w . EQ K q z w ⟶ Ψ(x,w)))⟧
⟹ (X, Comp c d, Sec (Q p H) (EQ G q) (EQ H q) Ω) : Deriv"

| D_IF_PARALLEL:
"⟦ ∀ s ss . EQ G p s ss ⟶ evalB b s = evalB b ss;
∀ x. LEQ (G x) (H x) ∨ LEQ p (H x);
∃ x . LEQ p (H x) ∧ LEQ (H x) q;
(X, c, Sec (Q p H) (EQ G q) (EQ H q) Φ) : Deriv;
(X, d, Sec (Q p H) (EQ G q) (EQ H q) Ψ) : Deriv;
Ω = (λ (r, u) . (evalB b u ⟶ Φ(r,u)) ∧
( (¬ evalB b u) ⟶ Ψ(r,u)))⟧
⟹ (X, Iff b c d, Sec (Q p H) (EQ G q) (EQ H q) Ω) : Deriv"

| D_IF_DIAGONAL:
"⟦ ∀x. LEQ (G x) (H x) ∨ LEQ p (H x);
¬ (∃x. LEQ p (H x) ∧ LEQ (H x) q);
(X, c, Sec (Q p H) (EQ G q) (EQ H q) Φ) : Deriv;
(X, d, Sec (Q p H) (EQ G q) (EQ H q) Ψ) : Deriv;
Ω = (λ (s,t) . EQ H q s t)⟧
⟹ (X, Iff b c d, Sec (Q p H) (EQ G q) (EQ H q) Ω) : Deriv"

| D_WHILE_PARALLEL:
"⟦ (X, c, Sec (Q p G) (EQ G q) (EQ G q) Φ):Deriv;
∀ s ss . EQ G p s ss ⟶ evalB b s = evalB b ss; LEQ p q;
Ω = (λ (s,t) . (b,EQ G q,Φ,s,t):var)⟧
⟹ (X, While b c, Sec (Q p G) (EQ G q) (EQ G q) Ω):Deriv"

| D_WHILE_DIAGONAL:
"⟦(X, c, Sec (Q p G) (EQ G q) (EQ G q) Φ) : Deriv; ¬ LEQ p q;
Ω = (λ (s,t) . EQ G q s t)⟧
⟹ (X, While b c, Sec (Q p G) (EQ G q) (EQ G q) Ω) : Deriv"

| D_SUB:
"⟦ LEQ p pp; ∀x. LEQ (G x) (GG x); ∀x. LEQ (HH x) (H x);
(X, c, Sec (Q pp HH) (EQ GG q) (EQ HH q) Φ) : Deriv⟧
⟹ (X, c, Sec (Q p H) (EQ G q) (EQ H q) Φ) :Deriv"

| D_CALL:
"({A} ∪ X,body,A): Deriv ⟹ (X,Call,A) : Deriv"

(*<*)
definition DProp :: "VDMAssn ⇒ bool"
where "DProp B = (∃ A R S φ . B =  Sec A R S (φ (FIX φ)) ∧ Monotone φ)"

lemma DerivProp_Aux: "(X,c,A):Deriv ⟹ DProp A"
apply (erule Deriv.induct)
apply (rule_tac x="Q p H" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ G q" in exI)
apply rule apply rule
apply simp
apply (rule_tac x="(Q p (upd G x (LUB p t)))" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="(EQ (upd G x (LUB p t)) q)" in exI)
apply rule apply rule
apply simp
apply clarsimp
apply (rule_tac x="Q p H" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ H q" in exI)
apply rule apply rule
apply simp
apply clarsimp
apply (rule_tac x="Q p H" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ H q" in exI)
apply rule apply rule apply simp
apply clarsimp
apply (rule_tac x="Q p H" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ H q" in exI)
apply rule apply rule
apply simp
apply clarsimp
apply (rule_tac x="Q p G" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ G q" in exI)
apply rule apply rule
apply simp
apply clarsimp
apply (rule_tac x="Q p G" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ G q" in exI)
apply rule apply rule
apply simp
apply clarsimp
apply (rule_tac x="Q p H" in exI,
rule_tac x="EQ G q" in exI,
rule_tac x="EQ H q" in exI)
apply rule apply rule apply simp
done
(*>*)

lemma DerivMono:
"(X,c,B):Deriv ⟹
∃ A R S φ . B =  Sec A R S (φ (FIX φ)) ∧ Monotone φ"
(*<*)
by (drule DerivProp_Aux, simp add: DProp_def)
(*>*)

text‹Also, the ‹Deriv› is indeed a subsystem of the program
logic.›

theorem Deriv_derivable: "(X,c,A):Deriv ⟹ X ⊳ c :A"
(*<*)
apply (erule Deriv.induct)
apply clarify apply (rule SKIP)
apply clarify apply (rule_tac t=t in ASSIGN) apply simp apply assumption
apply clarify apply (rule COMP) apply assumption apply assumption apply assumption apply assumption
apply clarify apply (rule IF_PARALLEL) apply assumption apply assumption apply (rule_tac x=x in exI, simp) apply assumption apply assumption
apply clarify apply (rule IF_DIAGONAL) apply assumption apply assumption apply assumption apply assumption
apply clarify apply (rule WHILE_PARALLEL_IND) apply assumption apply assumption apply assumption
apply clarify apply (rule WHILE_DIAGONAL) apply assumption apply assumption
apply (rule SUB) apply assumption apply assumption apply assumption apply assumption
apply (frule DerivMono) apply (erule exE)+ apply clarsimp
apply (subgoal_tac "X ⊳ Call : Sec Aa R S (FIX φ)")
prefer 2 apply (rule CALL)
prefer 2 apply assumption