isabelle: src/HOL/Unix/document/root.tex@0594e63e6057 (annotated)

10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	1
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	2	\documentclass[11pt,a4paper]{article}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	3	\usepackage{isabelle,isabellesym,pdfsetup}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	4
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	5	%for best-style documents ...
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	6	\urlstyle{rm}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	7	\isabellestyle{it}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	8
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	9	\renewcommand{\isamarkupcmt}[1]{{\isastylecmt---~~#1}}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	10
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	11	\newcommand{\secref}[1]{\S\ref{#1}}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	12
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	13
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	14	\begin{document}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	15
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	16	\title{Some aspects of Unix file-system security}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	17	\author{Markus Wenzel \\ TU M\"unchen}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	18	\maketitle
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	19
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	20	\begin{abstract}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	21	Unix is a simple but powerful system where everything is either a process or
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	22	a file. Access to system resources works mainly via the file-system,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	23	including special files and devices. Most Unix security issues are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	24	reflected directly within the file-system. We give a mathematical model of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	25	the main aspects of the Unix file-system including its security model, but
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	26	ignoring processes. Within this formal model we discuss some aspects of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	27	Unix security, including a few odd effects caused by the general
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	28	``worse-is-better'' approach followed in Unix.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	29
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	30	Our formal specifications will be giving in simply-typed classical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	31	set-theory as provided by Isabelle/HOL. Formal proofs are expressed in a
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	32	human-readable fashion using the structured proof language of Isabelle/Isar,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	33	which is a system intended to support intelligible semi-automated reasoning
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	34	over a wide range of application domains. Thus the present development also
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	35	demonstrates that Isabelle/Isar is sufficiently flexible to cover typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	36	abstract verification tasks as well. So far this has been the classical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	37	domain of interactive theorem proving systems based on unstructured tactic
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	38	languages.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	39	\end{abstract}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	40
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	41	\tableofcontents
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	42	\newpage
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	43
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	44	\parindent 0pt\parskip 0.5ex
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	45
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	46
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	47	\section{Introduction}\label{sec:unix-intro}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	48
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	49	\subsection{The Unix philosophy}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	50
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	51	Over the last 2 or 3 decades the Unix community has collected a certain amount
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	52	of folklore wisdom on building systems that actually work, see
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	53	\cite{Unix-heritage} for further historical background information. Here is a
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	54	recent account of the philosophical principles behind the Unix way of software
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	55	and systems engineering.\footnote{This has appeared on \emph{Slashdot} on
10968 4882d65cc716 tuned; wenzelm parents: 10966 diff changeset	56	25-March-2000, see \url{http://slashdot.com}.}
10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	57
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	58	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	59	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	60	The UNIX Philosophy (Score:2, Insightful)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	61	by yebb on Saturday March 25, @11:06AM EST (#69)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	62	(User Info)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	63
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	64	The philosophy is a result of more than twenty years of software
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	65	development and has grown from the UNIX community instead of being
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	66	enforced upon it. It is a defacto-style of software development. The
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	67	nine major tenets of the UNIX Philosophy are:
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	68
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	69	1. small is beautiful
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	70	2. make each program do one thing well
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	71	3. build a prototype as soon as possible
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	72	4. choose portability over efficiency
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	73	5. store numerical data in flat files
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	74	6. use software leverage to your advantage
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	75	7. use shell scripts to increase leverage and portability
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	76	8. avoid captive user interfaces
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	77	9. make every program a filter
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	78
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	79	The Ten Lesser Tenets
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	80
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	81	1. allow the user to tailor the environment
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	82	2. make operating system kernels small and lightweight
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	83	3. use lower case and keep it short
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	84	4. save trees
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	85	5. silence is golden
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	86	6. think parallel
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	87	7. the sum of the parts if greater than the whole
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	88	8. look for the ninety percent solution
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	89	9. worse is better
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	90	10. think hierarchically
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	91	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	92	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	93
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	94	The ``worse-is-better'' approach quoted above is particularly interesting. It
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	95	basically means that \emph{relevant} concepts have to be implemented in the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	96	right way, while \emph{irrelevant} issues are simply ignored in order to avoid
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	97	unnecessary complication of the design and implementation. Certainly, the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	98	overall quality of the resulting system heavily depends on the virtue of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	99	distinction between the two categories of ``relevant'' and ``irrelevant''.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	100
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	101
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	102	\subsection{Unix security}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	103
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	104	The main entities of a Unix system are \emph{files} and \emph{processes}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	105	\cite{Tanenbaum:1992}. Files subsume any persistent ``static'' entity managed
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	106	by the system --- ranging from plain files and directories, to more special
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	107	ones such device nodes, pipes etc. On the other hand, processes are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	108	``dynamic'' entities that may perform certain operations while being run by
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	109	the system.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	110
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	111	The security model of classic Unix systems is centered around the file system.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	112	The operations permitted by a process that is run by a certain user are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	113	determined from information stored within the file system. This includes any
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	114	kind of access control, such as read/write access to some plain file, or
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	115	read-only access to a certain global device node etc. Thus proper arrangement
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	116	of the main Unix file-system is very critical for overall
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	117	security.\footnote{Incidently, this is why the operation of mounting new
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	118	volumes into the existing file space is usually restricted to the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	119	super-user.}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	120
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	121	\medskip Generally speaking, the Unix security model is a very simplistic one.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	122	The original designers did not have maximum security in mind, but wanted to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	123	get a decent system working for typical multi-user environments. Contemporary
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	124	Unix implementations still follow the basic security model of the original
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	125	versions from the early 1970's \cite{Unix-heritage}. Even back then there
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	126	would have been better approaches available, albeit with more complexity
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	127	involved both for implementers and users.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	128
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	129	On the other hand, even in the 2000's many computer systems are run with
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	130	little or no file-system security at all, even though virtually any system is
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	131	exposed to the net in one way or the other. Even ``personal'' computer
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	132	systems have long left the comfortable home environment and entered the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	133	wilderness of the open net sphere.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	134
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	135	\medskip This treatment of file-system security is a typical example of the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	136	``worse-is-better'' principle introduced above. The simplistic security model
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	137	of Unix got widely accepted within a large user community, while the more
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	138	innovative (and cumbersome) ones are only used very reluctantly and even tend
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	139	to be disabled by default in order to avoid confusion of beginners.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	140
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	141
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	142	\subsection{Odd effects}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	143
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	144	Simplistic systems usually work very well in typical situations, but tend to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	145	exhibit some odd features in non-typical ones. As far as Unix file-system
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	146	security is concerned, there are many such features that are well-known to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	147	experts, but may surprise naive users.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	148
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	149	Subsequently, we consider an example that is not so exotic after all. As may
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	150	be easily experienced on a running Unix system, the following sequence of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	151	commands may put a user's file-system into an uncouth state. Below we assume
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	152	that \texttt{user1} and \texttt{user2} are working within the same directory
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	153	(e.g.\ somewhere within the home of \texttt{user1}).
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	154
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	155	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	156	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	157	user1> umask 000; mkdir foo; umask 022
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	158	user2> mkdir foo/bar
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	159	user2> touch foo/bar/baz
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	160	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	161	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	162
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	163	That is, \texttt{user1} creates a directory that is writable for everyone, and
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	164	\texttt{user2} puts there a non-empty directory without write-access for
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	165	others.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	166
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	167	In this situation it has become impossible for \texttt{user1} to remove his
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	168	very own directory \texttt{foo} without the cooperation of either
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	169	\texttt{user2}, since \texttt{foo} contains another non-empty and non-writable
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	170	directory, which cannot be removed.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	171
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	172	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	173	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	174	user1> rmdir foo
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	175	rmdir: directory "foo": Directory not empty
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	176	user1> rmdir foo/bar
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	177	rmdir: directory "bar": Directory not empty
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	178	user1> rm foo/bar/baz
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	179	rm not removed: Permission denied
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	180	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	181	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	182
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	183	Only after \texttt{user2} has cleaned up his directory \texttt{bar}, is
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	184	\texttt{user1} enabled to remove both \texttt{foo/bar} and \texttt{foo}.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	185	Alternatively \texttt{user2} could remove \texttt{foo/bar} as well. In the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	186	unfortunate case that \texttt{user2} does not cooperate or is presently
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	187	unavailable, \texttt{user1} would have to find the super user (\texttt{root})
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	188	to clean up the situation. In Unix \texttt{root} may perform any file-system
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	189	operation without any access control limitations.\footnote{This is the typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	190	Unix way of handling abnormal situations: while it is easy to run into odd
11102 5ceaa79c220d tuned; wenzelm parents: 10968 diff changeset	191	cases due to simplistic policies it is as well quite easy to get out. There
10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	192	are other well-known systems that make it somewhat harder to get into a fix,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	193	but almost impossible to get out again!}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	194
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	195	\bigskip Is there really no other way out for \texttt{user1} in the above
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	196	situation? Experiments can only show possible ways, but never demonstrate the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	197	absence of other means exhaustively. This is a typical situation where
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	198	(formal) proof may help. Subsequently, we model the main aspects Unix
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	199	file-system security within Isabelle/HOL \cite{Nipkow-et-al:2000:HOL} and
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	200	prove that there is indeed no way for \texttt{user1} to get rid of his
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	201	directory \texttt{foo} without help by others (see
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	202	\secref{sec:unix-main-result} for the main theorem stating this).
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	203
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	204	\medskip The formal techniques employed in this development are the typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	205	ones for abstract ``verification'' tasks, namely induction and case analysis
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	206	over the structure of file-systems and possible system transitions.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	207	Isabelle/HOL \cite{Nipkow-et-al:2000:HOL} is particularly well-suited for this
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	208	kind of application. By the present development we also demonstrate that the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	209	Isabelle/Isar environment \cite{Wenzel:1999:TPHOL,Wenzel:2000:isar-ref} for
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	210	readable formal proofs is sufficiently flexible to cover non-trivial
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	211	verification tasks as well. So far this has been the classical domain of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	212	``interactive'' theorem proving systems based on unstructured tactic
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	213	languages.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	214
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	215
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	216	\input{Unix}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	217
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	218	\bibliographystyle{abbrv}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	219	\bibliography{root}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	220
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	221	\end{document}

author	wenzelm
	Fri, 26 Oct 2001 14:02:58 +0200
changeset 11944	0594e63e6057
parent 11862	03801fd2f8fc
child 13381	60bc63b13857
permissions	-rw-r--r--