isabelle: src/HOL/Unix/document/root.tex@5ceaa79c220d (annotated)

10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	1
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	2	\documentclass[11pt,a4paper]{article}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	3	\usepackage{isabelle,isabellesym,pdfsetup}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	4
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	5	%for best-style documents ...
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	6	\urlstyle{rm}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	7	\isabellestyle{it}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	8
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	9	\renewcommand{\isabeginpar}{\par\smallskip}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	10	\renewcommand{\isamarkupcmt}[1]{{\isastylecmt---~~#1}}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	11
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	12	\newcommand{\secref}[1]{\S\ref{#1}}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	13
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	14
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	15	\begin{document}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	16
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	17	\title{Some aspects of Unix file-system security}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	18	\author{Markus Wenzel \\ TU M\"unchen}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	19	\maketitle
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	20
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	21	\begin{abstract}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	22	Unix is a simple but powerful system where everything is either a process or
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	23	a file. Access to system resources works mainly via the file-system,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	24	including special files and devices. Most Unix security issues are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	25	reflected directly within the file-system. We give a mathematical model of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	26	the main aspects of the Unix file-system including its security model, but
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	27	ignoring processes. Within this formal model we discuss some aspects of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	28	Unix security, including a few odd effects caused by the general
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	29	``worse-is-better'' approach followed in Unix.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	30
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	31	Our formal specifications will be giving in simply-typed classical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	32	set-theory as provided by Isabelle/HOL. Formal proofs are expressed in a
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	33	human-readable fashion using the structured proof language of Isabelle/Isar,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	34	which is a system intended to support intelligible semi-automated reasoning
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	35	over a wide range of application domains. Thus the present development also
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	36	demonstrates that Isabelle/Isar is sufficiently flexible to cover typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	37	abstract verification tasks as well. So far this has been the classical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	38	domain of interactive theorem proving systems based on unstructured tactic
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	39	languages.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	40	\end{abstract}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	41
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	42	\tableofcontents
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	43	\newpage
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	44
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	45	\parindent 0pt\parskip 0.5ex
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	46
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	47
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	48	\section{Introduction}\label{sec:unix-intro}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	49
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	50	\subsection{The Unix philosophy}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	51
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	52	Over the last 2 or 3 decades the Unix community has collected a certain amount
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	53	of folklore wisdom on building systems that actually work, see
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	54	\cite{Unix-heritage} for further historical background information. Here is a
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	55	recent account of the philosophical principles behind the Unix way of software
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	56	and systems engineering.\footnote{This has appeared on \emph{Slashdot} on
10968 4882d65cc716 tuned; wenzelm parents: 10966 diff changeset	57	25-March-2000, see \url{http://slashdot.com}.}
10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	58
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	59	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	60	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	61	The UNIX Philosophy (Score:2, Insightful)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	62	by yebb on Saturday March 25, @11:06AM EST (#69)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	63	(User Info)
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	64
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	65	The philosophy is a result of more than twenty years of software
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	66	development and has grown from the UNIX community instead of being
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	67	enforced upon it. It is a defacto-style of software development. The
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	68	nine major tenets of the UNIX Philosophy are:
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	69
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	70	1. small is beautiful
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	71	2. make each program do one thing well
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	72	3. build a prototype as soon as possible
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	73	4. choose portability over efficiency
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	74	5. store numerical data in flat files
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	75	6. use software leverage to your advantage
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	76	7. use shell scripts to increase leverage and portability
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	77	8. avoid captive user interfaces
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	78	9. make every program a filter
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	79
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	80	The Ten Lesser Tenets
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	81
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	82	1. allow the user to tailor the environment
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	83	2. make operating system kernels small and lightweight
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	84	3. use lower case and keep it short
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	85	4. save trees
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	86	5. silence is golden
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	87	6. think parallel
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	88	7. the sum of the parts if greater than the whole
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	89	8. look for the ninety percent solution
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	90	9. worse is better
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	91	10. think hierarchically
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	92	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	93	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	94
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	95	The ``worse-is-better'' approach quoted above is particularly interesting. It
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	96	basically means that \emph{relevant} concepts have to be implemented in the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	97	right way, while \emph{irrelevant} issues are simply ignored in order to avoid
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	98	unnecessary complication of the design and implementation. Certainly, the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	99	overall quality of the resulting system heavily depends on the virtue of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	100	distinction between the two categories of ``relevant'' and ``irrelevant''.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	101
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	102
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	103	\subsection{Unix security}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	104
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	105	The main entities of a Unix system are \emph{files} and \emph{processes}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	106	\cite{Tanenbaum:1992}. Files subsume any persistent ``static'' entity managed
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	107	by the system --- ranging from plain files and directories, to more special
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	108	ones such device nodes, pipes etc. On the other hand, processes are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	109	``dynamic'' entities that may perform certain operations while being run by
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	110	the system.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	111
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	112	The security model of classic Unix systems is centered around the file system.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	113	The operations permitted by a process that is run by a certain user are
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	114	determined from information stored within the file system. This includes any
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	115	kind of access control, such as read/write access to some plain file, or
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	116	read-only access to a certain global device node etc. Thus proper arrangement
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	117	of the main Unix file-system is very critical for overall
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	118	security.\footnote{Incidently, this is why the operation of mounting new
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	119	volumes into the existing file space is usually restricted to the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	120	super-user.}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	121
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	122	\medskip Generally speaking, the Unix security model is a very simplistic one.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	123	The original designers did not have maximum security in mind, but wanted to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	124	get a decent system working for typical multi-user environments. Contemporary
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	125	Unix implementations still follow the basic security model of the original
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	126	versions from the early 1970's \cite{Unix-heritage}. Even back then there
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	127	would have been better approaches available, albeit with more complexity
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	128	involved both for implementers and users.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	129
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	130	On the other hand, even in the 2000's many computer systems are run with
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	131	little or no file-system security at all, even though virtually any system is
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	132	exposed to the net in one way or the other. Even ``personal'' computer
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	133	systems have long left the comfortable home environment and entered the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	134	wilderness of the open net sphere.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	135
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	136	\medskip This treatment of file-system security is a typical example of the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	137	``worse-is-better'' principle introduced above. The simplistic security model
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	138	of Unix got widely accepted within a large user community, while the more
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	139	innovative (and cumbersome) ones are only used very reluctantly and even tend
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	140	to be disabled by default in order to avoid confusion of beginners.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	141
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	142
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	143	\subsection{Odd effects}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	144
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	145	Simplistic systems usually work very well in typical situations, but tend to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	146	exhibit some odd features in non-typical ones. As far as Unix file-system
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	147	security is concerned, there are many such features that are well-known to
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	148	experts, but may surprise naive users.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	149
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	150	Subsequently, we consider an example that is not so exotic after all. As may
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	151	be easily experienced on a running Unix system, the following sequence of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	152	commands may put a user's file-system into an uncouth state. Below we assume
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	153	that \texttt{user1} and \texttt{user2} are working within the same directory
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	154	(e.g.\ somewhere within the home of \texttt{user1}).
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	155
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	156	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	157	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	158	user1> umask 000; mkdir foo; umask 022
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	159	user2> mkdir foo/bar
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	160	user2> touch foo/bar/baz
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	161	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	162	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	163
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	164	That is, \texttt{user1} creates a directory that is writable for everyone, and
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	165	\texttt{user2} puts there a non-empty directory without write-access for
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	166	others.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	167
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	168	In this situation it has become impossible for \texttt{user1} to remove his
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	169	very own directory \texttt{foo} without the cooperation of either
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	170	\texttt{user2}, since \texttt{foo} contains another non-empty and non-writable
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	171	directory, which cannot be removed.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	172
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	173	{\small
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	174	\begin{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	175	user1> rmdir foo
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	176	rmdir: directory "foo": Directory not empty
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	177	user1> rmdir foo/bar
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	178	rmdir: directory "bar": Directory not empty
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	179	user1> rm foo/bar/baz
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	180	rm not removed: Permission denied
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	181	\end{verbatim}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	182	}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	183
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	184	Only after \texttt{user2} has cleaned up his directory \texttt{bar}, is
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	185	\texttt{user1} enabled to remove both \texttt{foo/bar} and \texttt{foo}.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	186	Alternatively \texttt{user2} could remove \texttt{foo/bar} as well. In the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	187	unfortunate case that \texttt{user2} does not cooperate or is presently
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	188	unavailable, \texttt{user1} would have to find the super user (\texttt{root})
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	189	to clean up the situation. In Unix \texttt{root} may perform any file-system
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	190	operation without any access control limitations.\footnote{This is the typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	191	Unix way of handling abnormal situations: while it is easy to run into odd
11102 5ceaa79c220d tuned; wenzelm parents: 10968 diff changeset	192	cases due to simplistic policies it is as well quite easy to get out. There
10966 8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	193	are other well-known systems that make it somewhat harder to get into a fix,
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	194	but almost impossible to get out again!}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	195
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	196	\bigskip Is there really no other way out for \texttt{user1} in the above
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	197	situation? Experiments can only show possible ways, but never demonstrate the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	198	absence of other means exhaustively. This is a typical situation where
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	199	(formal) proof may help. Subsequently, we model the main aspects Unix
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	200	file-system security within Isabelle/HOL \cite{Nipkow-et-al:2000:HOL} and
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	201	prove that there is indeed no way for \texttt{user1} to get rid of his
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	202	directory \texttt{foo} without help by others (see
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	203	\secref{sec:unix-main-result} for the main theorem stating this).
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	204
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	205	\medskip The formal techniques employed in this development are the typical
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	206	ones for abstract ``verification'' tasks, namely induction and case analysis
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	207	over the structure of file-systems and possible system transitions.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	208	Isabelle/HOL \cite{Nipkow-et-al:2000:HOL} is particularly well-suited for this
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	209	kind of application. By the present development we also demonstrate that the
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	210	Isabelle/Isar environment \cite{Wenzel:1999:TPHOL,Wenzel:2000:isar-ref} for
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	211	readable formal proofs is sufficiently flexible to cover non-trivial
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	212	verification tasks as well. So far this has been the classical domain of
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	213	``interactive'' theorem proving systems based on unstructured tactic
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	214	languages.
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	215
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	216
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	217	\input{Unix}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	218
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	219	\bibliographystyle{abbrv}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	220	\bibliography{root}
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	221
8f2c27041a8e added HOL-Unix example; wenzelm parents: diff changeset	222	\end{document}

author	wenzelm
	Mon, 12 Feb 2001 20:47:19 +0100
changeset 11102	5ceaa79c220d
parent 10968	4882d65cc716
child 11862	03801fd2f8fc
permissions	-rw-r--r--