Theory Second_Example

chapter ‹Second Example›

theory %invisible Second_Example
imports Main
begin

text ‹\label{chap:exampleII}›

text ‹Pop-refinement is illustrated via a simple derivation,
in Isabelle/HOL,
of a non-deterministic program that satisfies a hyperproperty.›


section ‹Hyperproperties›
text ‹\label{sec:hyper}›

text ‹Hyperproperties are predicates over sets of traces~%
\<^cite>‹"ClarksonSchneiderHyperproperties"›.
Hyperproperties capture security policies
like non-interference~\<^cite>‹"GoguenMeseguerNonInterference"›,
which applies to deterministic systems,
and generalized non-interference (GNI)~\<^cite>‹"McCulloughSpecificationsMLS"›,
which generalizes non-interference to non-deterministic systems.›

text ‹The formulation of GNI in~\<^cite>‹"ClarksonSchneiderHyperproperties"›,
which is derived from~\<^cite>‹"McLeanPossibilisticProperties"›,
is based on:
\begin{itemize}
\item
A notion of traces as infinite streams of abstract states.
\item
Functions that map each state to low and high inputs and outputs,
where `low' and `high' have the usual security meaning
(e.g.\ `low' means `unclassified' and `high' means `classified').
These functions are homomorphically extended to map each trace
to infinite streams of low and high inputs and outputs.
\end{itemize}
The following formulation is slightly more general,
because the functions that return low and high inputs and outputs
operate directly on abstract traces.›

text ‹GNI says that for any two traces @{term τ⇩1} and @{term τ⇩2},
there is always a trace @{term τ⇩3} with
the same high inputs as @{term τ⇩1}
and the same low inputs and low outputs as @{term τ⇩2}.
Intuitively, this means that a low observer
(i.e.\ one that only observes low inputs and low outputs of traces)
cannot gain any information about high inputs
(i.e.\ high inputs cannot interfere with low outputs)
because observing a trace @{term τ⇩2}
is indistinguishable from observing some other trace @{term τ⇩3}
that has the same high inputs as an arbitrary trace @{term τ⇩1}.›

locale generalized_non_interference =
  fixes low_in :: "'τ ⇒ 'i" ― ‹low inputs›
  fixes low_out :: "'τ ⇒ 'o" ― ‹low outputs›
  fixes high_in :: "'τ ⇒ 'i" ― ‹high inputs›
  fixes high_out :: "'τ ⇒ 'o" ― ‹high outputs›

definition (in generalized_non_interference) GNI :: "'τ set ⇒ bool"
where "GNI 𝒯 ≡
  ∀τ⇩1 ∈ 𝒯. ∀τ⇩2 ∈ 𝒯. ∃τ⇩3 ∈ 𝒯.
    high_in τ⇩3 = high_in τ⇩1 ∧ low_in τ⇩3 = low_in τ⇩2 ∧ low_out τ⇩3 = low_out τ⇩2"


section ‹Target Programming Language›
text ‹\label{sec:targetII}›

text ‹In the target language used in this example,%
\footnote{Even though this language has many similarities
with the language in \secref{sec:targetI},
the two languages are defined separately
to keep \chapref{chap:exampleI} simpler.}
a program consists of
a list of distinct state variables
and a body of statements.
The statements modify the variables
by deterministically assigning results of expressions
and by non-deterministically assigning random values.
Expressions are built out of
non-negative integer constants,
state variables,
and addition operations.
Statements are combined
via conditionals, whose tests compare expressions for equality,
and via sequencing.
Each variable stores a non-negative integer.
Executing the body in a state yields a new state.
Because of non-determinism, different new states are possible,
i.e.\ executing the body in the same state
may yield different new states at different times.›

text ‹For instance, executing the body of the program
\begin{verbatim}
  prog {
    vars {
      x
      y
    }
    body {
      if (x == y + 1) {
        x = 0;
      } else {
        x = y + 3;
      }
      randomize y;
      y = y + 2;
    }
  }
\end{verbatim}
in the state where \verb|x| contains 4 and \verb|y| contains 7,
yields a new state where
\verb|x| always contains 10
and \verb|y| may contain any number in $\{2,3,\ldots\}$.›


subsection ‹Syntax›
text ‹\label{sec:syntaxII}›

text ‹Variables are identified by names.›

type_synonym name = string

text ‹Expressions are built out of
constants, variables, and addition operations.›

datatype expr = Const nat | Var name | Add expr expr

text ‹Statements are built out of
deterministic assignments,
non-deterministic assignments,
conditionals,
and sequencing.›

datatype stmt =
  Assign name expr |
  Random name |
  IfEq expr expr stmt stmt |
  Seq stmt stmt

text ‹A program consists of
a list of state variables
and a body statement.›

record prog =
  vars :: "name list"
  body :: stmt


subsection ‹Static Semantics›
text ‹\label{sec:staticII}›

text ‹A context is a set of variables.›

type_synonym ctxt = "name set"

text ‹Given a context,
an expression is well-formed iff\
all its variables are in the context.›

fun wfe :: "ctxt ⇒ expr ⇒ bool"
where
  "wfe Γ (Const c) ⟷ True" |
  "wfe Γ (Var v) ⟷ v ∈ Γ" |
  "wfe Γ (Add e⇩1 e⇩2) ⟷ wfe Γ e⇩1 ∧ wfe Γ e⇩2"

text ‹Given a context,
a statement is well-formed iff\
its deterministic assignments
assign well-formed expressions to variables in the context,
its non-deterministic assignments operate on variables in the context,
and its conditional tests compare well-formed expressions.›

fun wfs :: "ctxt ⇒ stmt ⇒ bool"
where
  "wfs Γ (Assign v e) ⟷ v ∈ Γ ∧ wfe Γ e" |
  "wfs Γ (Random v) ⟷ v ∈ Γ" |
  "wfs Γ (IfEq e⇩1 e⇩2 s⇩1 s⇩2) ⟷ wfe Γ e⇩1 ∧ wfe Γ e⇩2 ∧ wfs Γ s⇩1 ∧ wfs Γ s⇩2" |
  "wfs Γ (Seq s⇩1 s⇩2) ⟷ wfs Γ s⇩1 ∧ wfs Γ s⇩2"

text ‹The context of a program consists of the state variables.›

definition ctxt :: "prog ⇒ ctxt"
where "ctxt p ≡ set (vars p)"

text ‹A program is well-formed iff\
the variables are distinct
and the body is well-formed in the context of the program.›

definition wfp :: "prog ⇒ bool"
where "wfp p ≡ distinct (vars p) ∧ wfs (ctxt p) (body p)"


subsection ‹Dynamic Semantics›
text ‹\label{sec:dynamicII}›

text ‹A state associates values (non-negative integers) to variables.›

type_synonym state = "name ⇀ nat"

text ‹A state matches a context iff\
state and context have the same variables.›

definition match :: "state ⇒ ctxt ⇒ bool"
where "match σ Γ ≡ dom σ = Γ"

text ‹Evaluating an expression in a state yields a value,
or an error (@{const None})
if the expression contains a variable not in the state.›

definition add_opt :: "nat option ⇒ nat option ⇒ nat option" (infixl ‹⊕› 65)
― ‹Lifting of addition to @{typ "nat option"}.›
where "U⇩1 ⊕ U⇩2 ≡
  case (U⇩1, U⇩2) of (Some u⇩1, Some u⇩2) ⇒ Some (u⇩1 + u⇩2) | _ ⇒ None"

fun eval :: "state ⇒ expr ⇒ nat option"
where
 "eval σ (Const c) = Some c" |
 "eval σ (Var v) = σ v" |
 "eval σ (Add e⇩1 e⇩2) = eval σ e⇩1 ⊕ eval σ e⇩2"

text ‹Evaluating a well-formed expression never yields an error,
if the state matches the context.›

lemma eval_wfe:
  "wfe Γ e ⟹ match σ Γ ⟹ eval σ e ≠ None"
by (induct e, auto simp: match_def add_opt_def)

text ‹Executing a statement in a state yields a new state,
or an error (@{const None})
if the evaluation of an expression yields an error
or if an assignment operates on a variable not in the state.
Non-determinism is modeled via a relation
between old states and results,
where a result is either a new state or an error.›

inductive exec :: "stmt ⇒ state ⇒ state option ⇒ bool"
  (‹_ ⊳ _ ↝ _› [50, 50, 50] 50)
where
  ExecAssignNoVar:
    "v ∉ dom σ ⟹ Assign v e ⊳ σ ↝ None" |
  ExecAssignEvalError:
    "eval σ e = None ⟹ Assign v e ⊳ σ ↝ None" |
  ExecAssignOK: "
    v ∈ dom σ ⟹
    eval σ e = Some u ⟹
    Assign v e ⊳ σ ↝ Some (σ(v ↦ u))" |
  ExecRandomNoVar:
    "v ∉ dom σ ⟹ Random v ⊳ σ ↝ None" |
  ExecRandomOK:
    "v ∈ dom σ ⟹ Random v ⊳ σ ↝ Some (σ(v ↦ u))" |
  ExecCondEvalError1:
    "eval σ e⇩1 = None ⟹ IfEq e⇩1 e⇩2 s⇩1 s⇩2 ⊳ σ ↝ None" |
  ExecCondEvalError2:
    "eval σ e⇩2 = None ⟹ IfEq e⇩1 e⇩2 s⇩1 s⇩2 ⊳ σ ↝ None" |
  ExecCondTrue: "
    eval σ e⇩1 = Some u⇩1 ⟹
    eval σ e⇩2 = Some u⇩2 ⟹
    u⇩1 = u⇩2 ⟹
    s⇩1 ⊳ σ ↝ ρ ⟹
    IfEq e⇩1 e⇩2 s⇩1 s⇩2 ⊳ σ ↝ ρ" |
  ExecCondFalse: "
    eval σ e⇩1 = Some u⇩1 ⟹
    eval σ e⇩2 = Some u⇩2 ⟹
    u⇩1 ≠ u⇩2 ⟹
    s⇩2 ⊳ σ ↝ ρ ⟹
    IfEq e⇩1 e⇩2 s⇩1 s⇩2 ⊳ σ ↝ ρ" |
  ExecSeqError:
    "s⇩1 ⊳ σ ↝ None ⟹ Seq s⇩1 s⇩2 ⊳ σ ↝ None" |
  ExecSeqOK:
    "s⇩1 ⊳ σ ↝ Some σ' ⟹ s⇩2 ⊳ σ' ↝ ρ ⟹ Seq s⇩1 s⇩2 ⊳ σ ↝ ρ"

text ‹The execution of any statement in any state always yields a result.›

lemma exec_always:
  "∃ρ. s ⊳ σ ↝ ρ"
proof (induct s arbitrary: σ)
  case Assign
  show ?case
  by (metis
    ExecAssignEvalError ExecAssignNoVar ExecAssignOK option.exhaust)
next
  case Random
  show ?case
  by (metis ExecRandomNoVar ExecRandomOK)
next
  case IfEq
  thus ?case
  by (metis
    ExecCondEvalError1 ExecCondEvalError2 ExecCondFalse ExecCondTrue
    option.exhaust)
next
  case Seq
  thus ?case
  by (metis ExecSeqError ExecSeqOK option.exhaust)
qed

text ‹Executing a well-formed statement in a state that matches the context
never yields an error and always yields states that match the context.›

lemma exec_wfs_match:
  "wfs Γ s ⟹ match σ Γ ⟹ s ⊳ σ ↝ Some σ' ⟹ match σ' Γ"
proof (induct s arbitrary: σ σ')
  case (Assign v e)
  then obtain u
  where "eval σ e = Some u"
  and "σ' = σ(v ↦ u)"
  by (auto elim: exec.cases)
  with Assign
  show ?case
  by (metis
    domIff dom_fun_upd fun_upd_triv match_def option.distinct(1) wfs.simps(1))
next
  case (Random v)
  then obtain u
  where "σ' = σ(v ↦ u)"
  by (auto elim: exec.cases)
  with Random
  show ?case
  by (metis
    domIff dom_fun_upd fun_upd_triv match_def option.distinct(1) wfs.simps(2))
next
  case (IfEq e⇩1 e⇩2 s⇩1 s⇩2)
  hence "s⇩1 ⊳ σ ↝ Some σ' ∨ s⇩2 ⊳ σ ↝ Some σ'"
  by (blast elim: exec.cases)
  with IfEq
  show ?case
  by (metis wfs.simps(3))
next
  case (Seq s⇩1 s⇩2)
  then obtain σ⇩i
  where "s⇩1 ⊳ σ ↝ Some σ⇩i"
  and "s⇩2 ⊳ σ⇩i ↝ Some σ'"
  by (blast elim: exec.cases)
  with Seq
  show ?case
  by (metis wfs.simps(4))
qed

lemma exec_wfs_no_error:
  "wfs Γ s ⟹ match σ Γ ⟹ ¬ (s ⊳ σ ↝ None)"
proof (induct s arbitrary: σ)
  case (Assign v e)
  hence Var: "v ∈ dom σ"
  by (auto simp: match_def)
  from Assign
  have "eval σ e ≠ None"
  by (metis eval_wfe wfs.simps(1))
  with Var
  show ?case
  by (auto elim: exec.cases)
next
  case (Random v)
  thus ?case
  by (auto simp: match_def elim: exec.cases)
next
  case (IfEq e⇩1 e⇩2 s⇩1 s⇩2)
  then obtain u⇩1 u⇩2
  where "eval σ e⇩1 = Some u⇩1"
  and "eval σ e⇩2 = Some u⇩2"
  by (metis eval_wfe not_Some_eq wfs.simps(3))
  with IfEq
  show ?case
  by (auto elim: exec.cases)
next
  case (Seq s⇩1 s⇩2)
  show ?case
  proof
    assume "Seq s⇩1 s⇩2 ⊳ σ ↝ None"
    hence "s⇩1 ⊳ σ ↝ None ∨ (∃σ'. s⇩1 ⊳ σ ↝ Some σ' ∧ s⇩2 ⊳ σ' ↝ None)"
    by (auto elim: exec.cases)
    with Seq exec_wfs_match
    show False
    by (metis wfs.simps(4))
  qed
qed

lemma exec_wfs_always_match:
  "wfs Γ s ⟹ match σ Γ ⟹ ∃σ'. s ⊳ σ ↝ Some σ' ∧ match σ' Γ"
by (metis exec_always exec_wfs_match exec_wfs_no_error option.exhaust)

text ‹The states of a program
are the ones that match the context of the program.›

definition states :: "prog ⇒ state set"
where "states p ≡ {σ. match σ (ctxt p)}"

text ‹Executing the body of a well-formed program in a state of the program
always yields some state of the program, and never an error.›

lemma exec_wfp_no_error:
  "wfp p ⟹ σ ∈ states p ⟹ ¬ (body p ⊳ σ ↝ None)"
by (metis exec_wfs_no_error mem_Collect_eq states_def wfp_def)

lemma exec_wfp_in_states:
  "wfp p ⟹ σ ∈ states p ⟹ body p ⊳ σ ↝ Some σ' ⟹ σ' ∈ states p"
by (metis exec_wfs_match mem_Collect_eq states_def wfp_def)

lemma exec_wfp_always_in_states:
  "wfp p ⟹ σ ∈ states p ⟹ ∃σ'. body p ⊳ σ ↝ Some σ' ∧ σ' ∈ states p"
by (metis exec_always exec_wfp_in_states exec_wfp_no_error option.exhaust)

text ‹Program execution can be described
in terms of the trace formalism in~\<^cite>‹"ClarksonSchneiderHyperproperties"›.
Every possible (non-erroneous) execution of a program
can be described by a trace of two states---initial and final.
In this definition,
erroneous executions do not contribute to the traces of a program;
only well-formed programs are of interest,
which, as proved above, never execute erroneously.
Due to non-determinism, there may be traces
with the same initial state and different final states.›

record trace =
  initial :: state
  final :: state

inductive_set traces :: "prog ⇒ trace set"
for p::prog
where [intro!]: "
  σ ∈ states p ⟹
  body p ⊳ σ ↝ Some σ' ⟹
  ⦇initial = σ, final = σ'⦈ ∈ traces p"

text ‹The finite traces of a program could be turned into infinite traces
by infinitely stuttering the final state,
obtaining the `executions' defined in~\<^cite>‹"ClarksonSchneiderHyperproperties"›.
However, such infinite traces carry no additional information
compared to the finite traces from which they are derived:
for programs in this language,
the infinite executions of~\<^cite>‹"ClarksonSchneiderHyperproperties"›
are modeled as finite traces of type @{typ trace}.›


section ‹Requirement Specification›
text ‹\label{sec:specificationII}›

text ‹The target program
must process low and high inputs to yield low and high outputs,
according to constraints that involve
both non-determinism and under-specification,
with no information flowing from high inputs to low outputs.%
\footnote{As in \secref{sec:hyper},
`low' and `high' have the usual security meaning,
e.g.\ `low' means `unclassified' and `high' means `classified'.}›


subsection ‹Input/Output Variables›
text ‹\label{sec:specII:iovars}›

text ‹Even though the language defined in \secref{sec:targetII}
has no explicit features for input and output,
an external agent could
write values into some variables,
execute the program body,
and read values from some variables.
Thus, variables may be regarded as holding
inputs (in the initial state) and outputs (in the final state).›

text ‹In the target program, four variables are required:
\begin{itemize}
\item
A variable @{term "''lowIn''"} to hold low inputs.
\item
A variable @{term "''lowOut''"} to hold low outputs.
\item
A variable @{term "''highIn''"} to hold high inputs.
\item
A variable @{term "''highOut''"} to hold high outputs.
\end{itemize}
Other variables are allowed but not required.›

definition io_vars :: "prog ⇒ bool"
where "io_vars p ≡ ctxt p ⊇ {''lowIn'', ''lowOut'', ''highIn'', ''highOut''}"


subsection ‹Low Processing›
text ‹\label{sec:specII:lowproc}›

text ‹If the low input is not 0,
the low output must be 1 plus the low input.
That is,
for every possible execution of the program
where the initial state's low input is not 0,
the final state's low output must be 1 plus the low input.
If there are multiple possible final states for the same initial state
due to non-determinism,
all of them must have the same required low output.
Thus, processing of non-0 low inputs must be deterministic.›

definition low_proc_non0 :: "prog ⇒ bool"
where "low_proc_non0 p ≡
  ∀σ ∈ states p. ∀σ'.
    the (σ ''lowIn'') ≠ 0 ∧
    body p ⊳ σ ↝ Some σ' ⟶
    the (σ' ''lowOut'') = the (σ ''lowIn'') + 1"

text ‹If the low input is 0, the low output must be a random value.
That is,
for every possible initial state of the program whose low input is 0,
and for every possible value,
there must exist an execution of the program
whose final state has that value as low output.
Executions corresponding to all possible values must be possible.
Thus, processing of the 0 low input must be non-deterministic.›

definition low_proc_0 :: "prog ⇒ bool"
where "low_proc_0 p ≡
  ∀σ ∈ states p. ∀u.
    the (σ ''lowIn'') = 0 ⟶
    (∃σ'. body p ⊳ σ ↝ Some σ' ∧ the (σ' ''lowOut'') = u)"


subsection ‹High Processing›
text ‹\label{sec:specII:highproc}›

text ‹The high output must be
at least as large as the sum of the low and high inputs.
That is,
for every possible execution of the program,
the final state's high output must satisfy the constraint.
If there are multiple possible final states for the same initial state
due to non-determinism,
all of them must contain a high output that satisfies the constraint.
Since different high outputs may satisfy the constraint given the same inputs,
not all the possible final states from a given initial state
must have the same high output.
Thus, processing of high inputs is under-specified;
it can be realized deterministically or non-deterministically.›

definition high_proc :: "prog ⇒ bool"
where "high_proc p ≡
  ∀σ ∈ states p. ∀σ'.
    body p ⊳ σ ↝ Some σ' ⟶
    the (σ' ''highOut'') ≥ the (σ ''lowIn'') + the (σ ''highIn'')"


subsection ‹All Requirements›
text ‹\label{sec:specII:all}›

text ‹Besides satisfying the above requirements on
input/output variables, low processing, and high processing,
the target program must be well-formed.›

definition spec⇩0 :: "prog ⇒ bool"
where "spec⇩0 p ≡
  wfp p ∧ io_vars p ∧ low_proc_non0 p ∧ low_proc_0 p ∧ high_proc p"


subsection ‹Generalized Non-Interference›
text ‹\label{sec:specII:GNI}›

text ‹The parameters of the GNI formulation in \secref{sec:hyper}
are instantiated according to the target program under consideration.
In an execution of the program:
\begin{itemize}
\item
The value of the variable @{term "''lowIn''"} in the initial state
is the low input.
\item
The value of the variable @{term "''lowOut''"} in the final state
is the low output.
\item
The value of the variable @{term "''highIn''"} in the initial state
is the high input.
\item
The value of the variable @{term "''highOut''"} in the final state
is the high output.
\end{itemize}›

definition low_in :: "trace ⇒ nat"
where "low_in τ ≡ the (initial τ ''lowIn'')"

definition low_out :: "trace ⇒ nat"
where "low_out τ ≡ the (final τ ''lowOut'')"

definition high_in :: "trace ⇒ nat"
where "high_in τ ≡ the (initial τ ''highIn'')"

definition high_out :: "trace ⇒ nat"
where "high_out τ ≡ the (final τ ''highOut'')"

interpretation
  Target: generalized_non_interference low_in low_out high_in high_out .

abbreviation GNI :: "trace set ⇒ bool"
where "GNI ≡ Target.GNI"

text ‹The requirements in @{const spec⇩0} imply that
the set of traces of the target program satisfies GNI.›

lemma spec⇩0_GNI:
  "spec⇩0 p ⟹ GNI (traces p)"
proof (auto simp: Target.GNI_def)
  assume Spec: "spec⇩0 p"
  ― ‹Consider a trace @{text τ⇩1} and its high input:›
  fix τ⇩1::trace
  define highIn where "highIn = high_in τ⇩1"
  ― ‹Consider a trace @{text τ⇩2},
        its low input and output,
        and its states:›
  fix τ⇩2::trace
  define lowIn lowOut σ⇩2 σ⇩2'
    where "lowIn = low_in τ⇩2"
      and "lowOut = low_out τ⇩2"
      and "σ⇩2 = initial τ⇩2"
      and "σ⇩2' = final τ⇩2"
  assume "τ⇩2 ∈ traces p"
  hence Exec2: "body p ⊳ σ⇩2 ↝ Some σ⇩2'"
  and State2: "σ⇩2 ∈ states p"
  by (auto simp: σ⇩2_def σ⇩2'_def elim: traces.cases)
  ― ‹Construct the initial state of the witness trace @{text τ⇩3}:›
  define σ⇩3 where "σ⇩3 = σ⇩2 (''highIn'' ↦ highIn)"
  hence LowIn3: "the (σ⇩3 ''lowIn'') = lowIn"
  and HighIn3: "the (σ⇩3 ''highIn'') = highIn"
  by (auto simp: lowIn_def low_in_def σ⇩2_def)
  from Spec State2
  have State3: "σ⇩3 ∈ states p"
  by (auto simp: σ⇩3_def states_def match_def spec⇩0_def io_vars_def)
  ― ‹Construct the final state of @{text τ⇩3}, and @{text τ⇩3},
        by cases on @{term lowIn}:›
  show
    "∃τ⇩3 ∈ traces p.
      high_in τ⇩3 = high_in τ⇩1 ∧
      low_in τ⇩3 = low_in τ⇩2 ∧
      low_out τ⇩3 = low_out τ⇩2"
  proof (cases lowIn)
    case 0
    ― ‹Use as final state the one required by @{term low_proc_0}:›
    with Spec State3 LowIn3
    obtain σ⇩3'
    where Exec3: "body p ⊳ σ⇩3 ↝ Some σ⇩3'"
    and LowOut3: "the (σ⇩3' ''lowOut'') = lowOut"
    by (auto simp: spec⇩0_def low_proc_0_def)
    ― ‹Construct @{text τ⇩3} from its initial and final states:›
    define τ⇩3 where "τ⇩3 = ⦇initial = σ⇩3, final = σ⇩3'⦈"
    with Exec3 State3
    have Trace3: "τ⇩3 ∈ traces p"
    by auto
    have "high_in τ⇩3 = high_in τ⇩1"
    and "low_in τ⇩3 = low_in τ⇩2"
    and "low_out τ⇩3 = low_out τ⇩2"
    by (auto simp:
      high_in_def low_in_def low_out_def
      τ⇩3_def σ⇩2_def σ⇩2'_def
      highIn_def lowIn_def lowOut_def
      LowIn3 HighIn3 LowOut3)
    with Trace3
    show ?thesis
    by auto
  next
    case Suc
    hence Not0: "lowIn ≠ 0"
    by auto
    ― ‹Derive @{term τ⇩2}'s low output from @{term low_proc_non0}:›
    with Exec2 State2 Spec
    have LowOut2: "lowOut = lowIn + 1"
    by (auto simp:
      spec⇩0_def low_proc_non0_def σ⇩2_def σ⇩2'_def
      low_in_def low_out_def lowIn_def lowOut_def)
    ― ‹Use any final state for @{text τ⇩3}:›
    from Spec
    have "wfp p"
    by (auto simp: spec⇩0_def)
    with State3
    obtain σ⇩3'
    where Exec3: "body p ⊳ σ⇩3 ↝ Some σ⇩3'"
    by (metis exec_always exec_wfp_no_error not_Some_eq)
    ― ‹Derive @{text τ⇩3}'s low output from @{term low_proc_non0}:›
    with State3 Spec Not0
    have LowOut3: "the (σ⇩3' ''lowOut'') = lowIn + 1"
    by (auto simp: spec⇩0_def low_proc_non0_def LowIn3)
    ― ‹Construct @{text τ⇩3} from its initial and final states:›
    define τ⇩3 where "τ⇩3 = ⦇initial = σ⇩3, final = σ⇩3'⦈"
    with Exec3 State3
    have Trace3: "τ⇩3 ∈ traces p"
    by auto
    have "high_in τ⇩3 = high_in τ⇩1"
    and "low_in τ⇩3 = low_in τ⇩2"
    and "low_out τ⇩3 = low_out τ⇩2"
    by (auto simp:
      high_in_def low_in_def low_out_def
      τ⇩3_def σ⇩3_def σ⇩2_def
      LowOut2 LowOut3
      highIn_def lowOut_def[unfolded low_out_def, symmetric])
    with Trace3
    show ?thesis
    by auto
  qed
qed

text ‹Since GNI is implied by @{const spec⇩0}
and since every pop-refinement of @{const spec⇩0} implies @{const spec⇩0},
GNI is preserved through every pop-refinement of @{const spec⇩0}.
Pop-refinement differs from the popular notion of refinement
as inclusion of sets of traces (e.g.~\<^cite>‹"AbadiLamportRefinement"›),
which does not preserve GNI~\<^cite>‹"ClarksonSchneiderHyperproperties"›.›


section ‹Stepwise Refinement›
text ‹\label{sec:refinementII}›

text ‹The remark at the beginning of \secref{sec:refinementI}
applies here as well:
the following sequence of refinement steps
may be overkill for obtaining an implementation of @{const spec⇩0},
but illustrates concepts that should apply to more complex cases.›


subsection ‹Step 1›

text ‹\label{sec:refII:stepI}›

text ‹The program needs no other variables
besides those prescribed by @{const io_vars}.
Thus, @{const io_vars} is refined to a stronger condition
that constrains the program to contain exactly those variables,
in a certain order.›

abbreviation vars⇩0 :: "name list"
where "vars⇩0 ≡ [''lowIn'', ''lowOut'', ''highIn'', ''highOut'']"
― ‹The order of the variables in the list is arbitrary.›

lemma vars⇩0_correct:
  "vars p = vars⇩0 ⟹ io_vars p"
by (auto simp: io_vars_def ctxt_def)

text ‹The refinement of @{const io_vars}
reduces the well-formedness of the program
to the well-formedness of the body.›

abbreviation Γ⇩0 :: ctxt
where "Γ⇩0 ≡ {''lowIn'', ''lowOut'', ''highIn'', ''highOut''}"

lemma reduce_wf_prog_to_body:
  "vars p = vars⇩0 ⟹ wfp p ⟷ wfs Γ⇩0 (body p)"
by (auto simp: wfp_def ctxt_def)

text ‹The refinement of @{const io_vars}
induces a simplification of the processing constraints:
since the context of the program is now defined to be @{const Γ⇩0},
the @{term "σ ∈ states p"} conditions are replaced
with @{term "match σ Γ⇩0"} conditions.›

definition low_proc_non0⇩1 :: "prog ⇒ bool"
where "low_proc_non0⇩1 p ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    the (σ ''lowIn'') ≠ 0 ∧
    body p ⊳ σ ↝ Some σ' ⟶
    the (σ' ''lowOut'') = the (σ ''lowIn'') + 1"

lemma low_proc_non0⇩1_correct:
  "vars p = vars⇩0 ⟹ low_proc_non0⇩1 p ⟷ low_proc_non0 p"
by (auto simp: low_proc_non0⇩1_def low_proc_non0_def states_def ctxt_def)

definition low_proc_0⇩1 :: "prog ⇒ bool"
where "low_proc_0⇩1 p ≡
  ∀σ u.
    match σ Γ⇩0 ∧
    the (σ ''lowIn'') = 0 ⟶
    (∃σ'. body p ⊳ σ ↝ Some σ' ∧ the (σ' ''lowOut'') = u)"

lemma low_proc_0⇩1_correct:
  "vars p = vars⇩0 ⟹ low_proc_0⇩1 p ⟷ low_proc_0 p"
by (auto simp: low_proc_0⇩1_def low_proc_0_def states_def ctxt_def)

definition high_proc⇩1 :: "prog ⇒ bool"
where "high_proc⇩1 p ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    body p ⊳ σ ↝ Some σ' ⟶
    the (σ' ''highOut'') ≥ the (σ ''lowIn'') + the (σ ''highIn'')"

lemma high_proc⇩1_correct:
  "vars p = vars⇩0 ⟹ high_proc⇩1 p ⟷ high_proc p"
by (auto simp: high_proc⇩1_def high_proc_def states_def ctxt_def)

text ‹The refinement of @{const spec⇩0} consists of
the refinement of @{const io_vars} and of the simplified constraints.›

definition spec⇩1 :: "prog ⇒ bool"
where "spec⇩1 p ≡
  vars p = vars⇩0 ∧
  wfs Γ⇩0 (body p) ∧
  low_proc_non0⇩1 p ∧
  low_proc_0⇩1 p ∧
  high_proc⇩1 p"

lemma step_1_correct:
  "spec⇩1 p ⟹ spec⇩0 p"
by (auto simp:
  spec⇩1_def spec⇩0_def
  vars⇩0_correct
  reduce_wf_prog_to_body
  low_proc_non0⇩1_correct
  low_proc_0⇩1_correct
  high_proc⇩1_correct)


subsection ‹Step 2›

text ‹\label{sec:refII:stepII}›

text ‹The body of the target program is split
into two sequential statements---%
one to compute the low output and one to compute the high output.›

definition body_split :: "prog ⇒ stmt ⇒ stmt ⇒ bool"
where "body_split p s⇩L s⇩H ≡ body p = Seq s⇩L s⇩H"
― ‹The order of the two statements in the body is arbitrary.›

text ‹The splitting reduces the well-formedness of the body
to the well-formedness of the two statements.›

lemma reduce_wf_body_to_stmts:
  "body_split p s⇩L s⇩H ⟹ wfs Γ⇩0 (body p) ⟷ wfs Γ⇩0 s⇩L ∧ wfs Γ⇩0 s⇩H"
by (auto simp: body_split_def)

text ‹The processing predicates over programs
are refined to predicates over the statements @{term s⇩L} and @{term s⇩H}.
Since @{term s⇩H} follows @{term s⇩L}:
\begin{itemize}
\item
@{term s⇩H} must not change the low output, which is computed by @{term s⇩L}.
\item
@{term s⇩L} must not change the low and high inputs, which are used by @{term s⇩H}.
\end{itemize}›

definition low_proc_non0⇩2 :: "stmt ⇒ bool"
where "low_proc_non0⇩2 s⇩L ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    the (σ ''lowIn'') ≠ 0 ∧
    s⇩L ⊳ σ ↝ Some σ' ⟶
    the (σ' ''lowOut'') = the (σ ''lowIn'') + 1"

definition low_proc_0⇩2 :: "stmt ⇒ bool"
where "low_proc_0⇩2 s⇩L ≡
  ∀σ u.
    match σ Γ⇩0 ∧
    the (σ ''lowIn'') = 0 ⟶
    (∃σ'. s⇩L ⊳ σ ↝ Some σ' ∧ the (σ' ''lowOut'') = u)"

definition low_proc_no_input_change :: "stmt ⇒ bool"
where "low_proc_no_input_change s⇩L ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    s⇩L ⊳ σ ↝ Some σ' ⟶
    the (σ' ''lowIn'') = the (σ ''lowIn'') ∧
    the (σ' ''highIn'') = the (σ ''highIn'')"

definition high_proc⇩2 :: "stmt ⇒ bool"
where "high_proc⇩2 s⇩H ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    s⇩H ⊳ σ ↝ Some σ' ⟶
    the (σ' ''highOut'') ≥ the (σ ''lowIn'') + the (σ ''highIn'')"

definition high_proc_no_low_output_change :: "stmt ⇒ bool"
where "high_proc_no_low_output_change s⇩H ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    s⇩H ⊳ σ ↝ Some σ' ⟶
    the (σ' ''lowOut'') = the (σ ''lowOut'')"

lemma proc⇩2_correct:
  assumes Body: "body_split p s⇩L s⇩H"
  assumes WfLow: "wfs Γ⇩0 s⇩L"
  assumes WfHigh: "wfs Γ⇩0 s⇩H"
  assumes LowNon0: "low_proc_non0⇩2 s⇩L"
  assumes Low0: "low_proc_0⇩2 s⇩L"
  assumes LowSame: "low_proc_no_input_change s⇩L"
  assumes High: "high_proc⇩2 s⇩H"
  assumes HighSame: "high_proc_no_low_output_change s⇩H"
  shows "low_proc_non0⇩1 p ∧ low_proc_0⇩1 p ∧ high_proc⇩1 p"
proof (auto, goal_cases)
  ― ‹Processing of non-0 low input:›
  case 1
  show ?case
  proof (auto simp: low_proc_non0⇩1_def)
    fix σ σ'
    assume "body p ⊳ σ ↝ Some σ'"
    with Body
    obtain σ⇩i
    where ExecLow: "s⇩L ⊳ σ ↝ Some σ⇩i"
    and ExecHigh: "s⇩H ⊳ σ⇩i ↝ Some σ'"
    by (auto simp: body_split_def elim: exec.cases)
    assume Non0: "the (σ ''lowIn'') > 0"
    assume InitMatch: "match σ Γ⇩0"
    with ExecLow WfLow
    have "match σ⇩i Γ⇩0"
    by (auto simp: exec_wfs_match)
    with Non0 InitMatch ExecLow ExecHigh HighSame LowNon0
    show "the (σ' ''lowOut'') = Suc (the (σ ''lowIn''))"
    unfolding high_proc_no_low_output_change_def low_proc_non0⇩2_def
    by (metis Suc_eq_plus1 gr_implies_not0)
  qed
next
  ― ‹Processing of 0 low input:›
  case 2
  show ?case
  proof (auto simp: low_proc_0⇩1_def)
    fix σ u
    assume InitMatch: "match σ Γ⇩0"
    and "the (σ ''lowIn'') = 0"
    with Low0
    obtain σ⇩i
    where ExecLow: "s⇩L ⊳ σ ↝ Some σ⇩i"
    and LowOut: "the (σ⇩i ''lowOut'') = u"
    by (auto simp: low_proc_0⇩2_def)
    from InitMatch ExecLow WfLow
    have MidMatch: "match σ⇩i Γ⇩0"
    by (auto simp: exec_wfs_match)
    with WfHigh
    obtain σ'
    where ExecHigh: "s⇩H ⊳ σ⇩i ↝ Some σ'"
    by (metis exec_wfs_always_match)
    with HighSame MidMatch
    have "the (σ' ''lowOut'') = the (σ⇩i ''lowOut'')"
    by (auto simp: high_proc_no_low_output_change_def)
    with ExecLow ExecHigh Body LowOut
    show "∃σ'. body p ⊳ σ ↝ Some σ' ∧ the (σ' ''lowOut'') = u"
    by (auto simp add: body_split_def dest: ExecSeqOK)
  qed
next
  ― ‹Processing of high input:›
  case 3
  show ?case
  proof (auto simp: high_proc⇩1_def)
    fix σ σ'
    assume "body p ⊳ σ ↝ Some σ'"
    with Body
    obtain σ⇩i
    where ExecLow: "s⇩L ⊳ σ ↝ Some σ⇩i"
    and ExecHigh: "s⇩H ⊳ σ⇩i ↝ Some σ'"
    by (auto simp: body_split_def elim: exec.cases)
    assume InitMatch: "match σ Γ⇩0"
    with ExecLow WfLow
    have "match σ⇩i Γ⇩0"
    by (auto simp: exec_wfs_match)
    with InitMatch ExecLow ExecHigh LowSame High
    show "the (σ' ''highOut'') ≥ the (σ ''lowIn'') + the (σ ''highIn'')"
    unfolding low_proc_no_input_change_def high_proc⇩2_def
    by metis
  qed
qed

text ‹The refined specification consists of
the splitting of the body into the two sequential statements
and the refined well-formedness and processing constraints.›

definition spec⇩2 :: "prog ⇒ bool"
where "spec⇩2 p ≡
  vars p = vars⇩0 ∧
  (∃s⇩L s⇩H.
    body_split p s⇩L s⇩H ∧
    wfs Γ⇩0 s⇩L ∧
    wfs Γ⇩0 s⇩H ∧
    low_proc_non0⇩2 s⇩L ∧
    low_proc_0⇩2 s⇩L ∧
    low_proc_no_input_change s⇩L ∧
    high_proc⇩2 s⇩H ∧
    high_proc_no_low_output_change s⇩H)"

lemma step_2_correct:
  "spec⇩2 p ⟹ spec⇩1 p"
by (auto simp: spec⇩2_def spec⇩1_def reduce_wf_body_to_stmts proc⇩2_correct)


subsection ‹Step 3›

text ‹\label{sec:refII:stepIII}›

text ‹The processing constraints
@{const low_proc_non0⇩2} and @{const low_proc_0⇩2} on @{term s⇩L}
suggest the use of a conditional that
randomizes @{term "''lowOut''"} if @{term "''lowIn''"} is 0,
and stores 1 plus @{term "''lowIn''"} into @{term "''lowOut''"} otherwise.›

abbreviation s⇩L⇩0 :: stmt
where "s⇩L⇩0 ≡
  IfEq
    (Var ''lowIn'')
    (Const 0)
    (Random ''lowOut'')
    (Assign ''lowOut'' (Add (Var ''lowIn'') (Const 1)))"

lemma wfs_s⇩L⇩0:
  "wfs Γ⇩0 s⇩L⇩0"
by auto

lemma low_proc_non0_s⇩L⇩0:
  "low_proc_non0⇩2 s⇩L⇩0"
proof (auto simp only: low_proc_non0⇩2_def)
  fix σ σ'
  assume Match: "match σ Γ⇩0"
  assume "s⇩L⇩0 ⊳ σ ↝ Some σ'"
  and "the (σ ''lowIn'') > 0"
  hence "(Assign ''lowOut'' (Add (Var ''lowIn'') (Const 1))) ⊳ σ ↝ Some σ'"
  by (auto elim: exec.cases)
  hence "σ' = σ (''lowOut'' ↦ the (eval σ (Add (Var ''lowIn'') (Const 1))))"
  by (auto elim: exec.cases)
  with Match
  show "the (σ' ''lowOut'') = the (σ ''lowIn'') + 1"
  by (auto simp: match_def add_opt_def split: option.split)
qed

lemma low_proc_0_s⇩L⇩0:
  "low_proc_0⇩2 s⇩L⇩0"
proof (auto simp only: low_proc_0⇩2_def)
  fix σ u
  assume Match: "match σ Γ⇩0"
  and "the (σ ''lowIn'') = 0"
  hence LowIn0: "σ ''lowIn'' = Some 0"
  by (cases "σ ''lowIn''", auto simp: match_def)
  from Match
  have "''lowOut'' ∈ dom σ"
  by (auto simp: match_def)
  then obtain σ'
  where ExecRand: "Random ''lowOut'' ⊳ σ ↝ Some σ'"
  and "σ' = σ (''lowOut'' ↦ u)"
  by (auto intro: ExecRandomOK)
  hence "the (σ' ''lowOut'') = u"
  by auto
  with ExecRand LowIn0
  show "∃σ'. s⇩L⇩0 ⊳ σ ↝ Some σ' ∧ the (σ' ''lowOut'') = u"
  by (metis ExecCondTrue eval.simps(1) eval.simps(2))
qed

lemma low_proc_no_input_change_s⇩L⇩0:
  "low_proc_no_input_change s⇩L⇩0"
proof (unfold low_proc_no_input_change_def, clarify)
  fix σ σ'
  assume "s⇩L⇩0 ⊳ σ ↝ Some σ'"
  hence "
    Random ''lowOut'' ⊳ σ ↝ Some σ' ∨
    Assign ''lowOut'' (Add (Var ''lowIn'') (Const 1)) ⊳ σ ↝ Some σ'"
  by (auto elim: exec.cases)
  thus "
    the (σ' ''lowIn'') = the (σ ''lowIn'') ∧
    the (σ' ''highIn'') = the (σ ''highIn'')"
  by (auto elim: exec.cases)
qed

text ‹The refined specification is obtained
by simplification using the definition of @{term s⇩L}.›

definition spec⇩3 :: "prog ⇒ bool"
where "spec⇩3 p ≡
  vars p = vars⇩0 ∧
  (∃s⇩H.
    body_split p s⇩L⇩0 s⇩H ∧
    wfs Γ⇩0 s⇩H ∧
    high_proc⇩2 s⇩H ∧
    high_proc_no_low_output_change s⇩H)"

lemma step_3_correct:
  "spec⇩3 p ⟹ spec⇩2 p"
unfolding spec⇩3_def spec⇩2_def
by (metis
  wfs_s⇩L⇩0 low_proc_non0_s⇩L⇩0 low_proc_0_s⇩L⇩0 low_proc_no_input_change_s⇩L⇩0)

text ‹The non-determinism required by @{const low_proc_0}
cannot be pop-refined away.
In particular, @{term s⇩L} cannot be defined
to copy the high input to the low output when the low input is 0,
which would lead to a program that does not satisfy GNI.›


subsection ‹Step 4›

text ‹\label{sec:refII:stepIV}›

text ‹The processing constraint @{const high_proc⇩2} on @{term s⇩H}
can be satisfied in different ways.
A simple way is to pick the sum of the low and high inputs:
@{const high_proc⇩2} is refined by replacing the inequality with an equality.›

definition high_proc⇩4 :: "stmt ⇒ bool"
where "high_proc⇩4 s⇩H ≡
  ∀σ σ'.
    match σ Γ⇩0 ∧
    s⇩H ⊳ σ ↝ Some σ' ⟶
    the (σ' ''highOut'') = the (σ ''lowIn'') + the (σ ''highIn'')"

lemma high_proc⇩4_correct:
  "high_proc⇩4 s⇩H ⟹ high_proc⇩2 s⇩H"
by (auto simp: high_proc⇩4_def high_proc⇩2_def)

text ‹The refined specification is obtained
by substituting the refined processing constraint on @{term s⇩H}.›

definition spec⇩4 :: "prog ⇒ bool"
where "spec⇩4 p ≡
  vars p = vars⇩0 ∧
  (∃s⇩H.
    body_split p s⇩L⇩0 s⇩H ∧
    wfs Γ⇩0 s⇩H ∧
    high_proc⇩4 s⇩H ∧
    high_proc_no_low_output_change s⇩H)"

lemma step_4_correct:
  "spec⇩4 p ⟹ spec⇩3 p"
by (auto simp: spec⇩4_def spec⇩3_def high_proc⇩4_correct)


subsection ‹Step 5›

text ‹\label{sec:refII:stepV}›

text ‹The refined processing constraint @{const high_proc⇩4} on @{term s⇩H}
suggest the use of an assignment that
stores the sum of @{term "''lowIn''"} and @{term "''highIn''"}
into @{term "''highOut''"}.›

abbreviation s⇩H⇩0 :: stmt
where "s⇩H⇩0 ≡ Assign ''highOut'' (Add (Var ''lowIn'') (Var ''highIn''))"

lemma wfs_s⇩H⇩0:
  "wfs Γ⇩0 s⇩H⇩0"
by auto

lemma high_proc⇩4_s⇩H⇩0:
  "high_proc⇩4 s⇩H⇩0"
proof (auto simp: high_proc⇩4_def)
  fix σ σ'
  assume Match: "match σ Γ⇩0"
  assume "s⇩H⇩0 ⊳ σ ↝ Some σ'"
  hence "
    σ' = σ (''highOut'' ↦ the (eval σ (Add (Var ''lowIn'') (Var ''highIn''))))"
  by (auto elim: exec.cases)
  with Match
  show "the (σ' ''highOut'') = the (σ ''lowIn'') + the (σ ''highIn'')"
  by (auto simp: match_def add_opt_def split: option.split)
qed

lemma high_proc_no_low_output_change_s⇩H⇩0:
  "high_proc_no_low_output_change s⇩H⇩0"
by (auto simp: high_proc_no_low_output_change_def elim: exec.cases)

text ‹The refined specification is obtained
by simplification using the definition of @{term s⇩H}.›

definition spec⇩5 :: "prog ⇒ bool"
where "spec⇩5 p ≡ vars p = vars⇩0 ∧ body_split p s⇩L⇩0 s⇩H⇩0"

lemma step_5_correct:
  "spec⇩5 p ⟹ spec⇩4 p"
unfolding spec⇩5_def spec⇩4_def
by (metis wfs_s⇩H⇩0 high_proc⇩4_s⇩H⇩0 high_proc_no_low_output_change_s⇩H⇩0)


subsection ‹Step 6›

text ‹\label{sec:refII:stepVI}›

text ‹@{const spec⇩5}, which defines the variables and the body,
is refined to characterize a unique program in explicit syntactic form.›

abbreviation p⇩0 :: prog
where "p⇩0 ≡ ⦇vars = vars⇩0, body = Seq s⇩L⇩0 s⇩H⇩0⦈"

definition spec⇩6 :: "prog ⇒ bool"
where "spec⇩6 p ≡ p = p⇩0"

lemma step_6_correct:
  "spec⇩6 p ⟹ spec⇩5 p"
by (auto simp: spec⇩6_def spec⇩5_def body_split_def)

text ‹The program satisfies @{const spec⇩0} by construction.
The program witnesses the consistency of the requirements,
i.e.\ the fact that @{const spec⇩0} is not always false.›

lemma p⇩0_sat_spec⇩0:
  "spec⇩0 p⇩0"
by (metis
 step_1_correct
 step_2_correct
 step_3_correct
 step_4_correct
 step_5_correct
 step_6_correct
 spec⇩6_def)

text ‹From @{const p⇩0}, the program text
\begin{verbatim}
  prog {
    vars {
      lowIn
      lowOut
      highIn
      highOut
    }
    body {
      if (lowIn == 0) {
        randomize lowOut;
      } else {
        lowOut = lowIn + 1;
      }
      highOut = lowIn + highIn;
    }
  }
\end{verbatim}
is easily obtained.›


end %invisible