Isabelle Insider and Infrastructure Framework

• IIIf is a formalized framework implemented in Isabelle/HOL that integrates Kripke structures, CTL, and recursive attack trees for precise security modeling.
• It provides specification-driven dependability engineering through iterative refinement, threat modeling, and invariant certification to ensure policy adequacy.
• IIIf supports rigorous reasoning on insider threats and advanced security properties like noninterference and differential privacy, addressing refinement paradoxes via machine-checked proofs.

The Isabelle Insider and Infrastructure framework (IIIf) is a mechanized, deeply formalized environment built atop Isabelle/HOL for modeling dynamic, distributed, and policy-governed systems with explicit handling of insider threats, refinement-based dependability engineering, and advanced security properties such as noninterference and differential privacy. IIIf unifies Kripke structures and Computation Tree Logic (CTL) operators with recursive attack trees, supporting a full cycle of specification, automated counterexample generation, policy refinement, and invariant certification. Its architecture and methodology allow rigorous machine-checked reasoning about attack surfaces, protocol evolution, policy adequacy, and security refinement paradoxes, as illustrated by multiple case studies on organizational workflows, cyber-physical systems, federated learning, and large distributed infrastructures.

1. Logical and Architectural Foundations

IIIf is realized as a stack of Isabelle/HOL theory modules, embedding several semantic layers:

• Meta-logic and Object-logic: The framework is implemented strictly inside the meta-logic Pure and the object logic HOL, underpinned by a simply-typed λ-calculus and classical type grammar: $$\tau ::= \mathsf{bool} \mid \mathsf{nat} \mid \alpha \mid \tau_1 \Rightarrow \tau_2 \mid \tau_1 \times \tau_2 \mid \tau~\mathsf{set}$$.
• Kripke Structures and State Transition: Central semantic objects are Kripke structures

$K = (S, I, R)$

with $S$ (states), $I \subseteq S$ (initial states), and $R \subseteq S \times S$ (transition relation). In Isabelle:

record ('σ) kripke = states :: "'σ set" init :: "'σ set" trans :: "('σ × 'σ) set"

• Computation Tree Logic: CTL operators are embedded as least and greatest fixpoints. The modal operator $\mathsf{EF}\;P$ holds iff there is a finite path from some $i \in I$ to $p \in P$:

$$K \models \mathsf{EF}\;P \iff \exists s_0,s_1,\dots,s_n.\;s_0\in I \wedge \forall j < n.\,(s_j, s_{j+1}) \in R \wedge s_n \in P$$

Supported in Isabelle by inductive definitions:

inductive EF :: "('σ) kripke ⇒ 'σ set ⇒ bool" where EF_base: "i ∈ K.init ⟹ i ∈ P ⟹ EF K P" | EF_step: "⟦ i ∈ K.init ∨ (∃j. EF K {j}); (i,j) ∈ K.trans; j ∈ P ⟧ ⟹ EF K P"

• Recursive Attack Trees: An attree datatype models structured attacks with base, conjunction (And), and disjunction (Or) nodes. Validity is defined constructively, soundness is established for correct correspondence to CTL-reachability.
• Dependability Process: The RR-cycle interleaves model refinement, threat modeling, attack tree construction, and proof, yielding iterative improvement and full machine-checked explanations.

2. Specification Language and Modeling Constructs

IIIf’s modeling layer provides rigorously typed system representations:

• State Types and Records: Users define state types via records. For instance:

  record user_loc = uid :: nat loc :: string epiID :: nat

• State-Transition Predicates: System dynamics are specified by inductives like:

  inductive step_CWA :: "user_loc ⇒ user_loc ⇒ bool" where UpdateLoc: ... | UpdateEpi: ...

• Policies and Actors: Actors are abstract types, with credentials and roles encoded for each identity. Polices are predicates mapping actors and actions to authorizations:

  definition enables :: [infrastructure, location, actor, action] ⇒ bool where "enables I ℓ a a' ⟷ ∃(p,e) ∈ δ I (graphI I) ℓ. a' ∈ e ∧ p a"

• Graphical Infrastructure: The system graph structure, local policy maps, and state resources are packaged in datatypes such as igraph and infrastructure.

3. Dependability Engineering and Refinement-Risk Cycle

A methodological centerpiece is the RR-cycle:

• Iterative Steps:

1. Specification: Compose an initial abstract Kripke state, policies, and invariants.
2. Threat Modeling: Extend the state space or transitions to encode attacker capabilities; construct abstract attack trees.
3. Attack Tree Validity: Prove the constructed tree is valid, thus exhibiting a CTL-reachable bad state.
4. Adequacy Proof: Use the adequacy theorems to certify that attack tree validity implies reachability.
5. Refinement: Strengthen policies, type definitions, or constraints in response.
6. Iteration: Repeat until desired security goals are reached.

• Formal Refinement: The system-refinement relation on Kripke structures,

$$K \preceq_E K' \iff \forall s_0,s.\;s_0\in\mathit{init}(K')\wedge s_0\stackrel{*}{\longrightarrow}s \implies E(s_0)\stackrel{*}{\longrightarrow}E(s) \wedge (\forall s_0.\;s_0\in\mathit{init}(K')\implies E(s_0)\in\mathit{init}(K)).$$

ensures property preservation for temporal logic formulas.

4. Security Properties: Noninterference, Differential Privacy, and Refinement Paradox

• Noninterference (NI): IIIf formalizes NI for infrastructures via actor clearance and security labels (e.g., DLM lattice). The property states that if two states are indistinguishable to an attacker, each step of one can be matched by a trace of the other, maintaining indistinguishability:

$$s_0 \approx_L s_1 \implies (s_0 \rightarrow s_0' \implies \exists s_1'.\;s_1 \to^* s_1' \wedge s_0' \approx_L s_1')$$

encoded and proved in Isabelle/HOL via structured inductives (Kammüller, 14 Dec 2024).

• Refinement Paradox & Morgan's Solution: Refinement may break noninterference. To resolve this, every confidential component is annotated with a "shadow field" tracking all possible attacker-visible values; refinements must preserve (not shrink) the shadow sets. Security-preserving refinement requires injectivity over shadow fields.
• Differential Privacy and Attacker Advantage: Probabilistic CTL quantifiers allow reasoning over trace distributions. DP is formalized as

$$\Pr_{t\in\mathrm{Paths}(M)}[\mathrm{curmodpar}(t)=g_0] \leq e^{\epsilon}\,\Pr_{t\in\mathrm{Paths}(M)}[\mathrm{curmodpar}(t)=g_1]$$

Attacker advantage is defined cryptographically, and bounded directly in terms of the DP parameter $\epsilon$ (Kammüller, 6 Dec 2025).

5. Extensible Formalization and Case Studies

IIIf has been instantiated for a range of security engineering tasks:

• Corona-Warn-App Attack Analysis: Modeling user location transitions and attacker linking via attack trees, showing reachability of compromise states and guiding refinement (Kammüller, 2021).
• Airplane Security Policy Verification: Modeling psychological tipping points, actor impersonation, local policy constraints, and counterexample-guided refinement of cockpit access policies. Case paper demonstrates the discovery of subtleties (e.g., insufficiency of naive two-person rule) and formal closure under added invariants (Kammüller et al., 2020).
• Flightradar System and Noninterference: Demonstrates refinement paradox and Morgan's shadow fix, ensuring security properties under system evolution (Kammüller, 14 Dec 2024).
• Federated Learning with DP in Satellite Swarms: Models FL rounds, gradient aggregation, and DP composition, mechanizing bounds on attacker advantage for eavesdropping adversaries and providing compositional privacy guarantees (Kammüller, 6 Dec 2025).
• IoT Healthcare with GDPR and Blockchain: Models data labeling, privacy-preserving evaluation functions, and global ledger updating, with blockchain-style consensus safety (Kammüller, 2020).

6. Practical Integration and Tooling

Practitioners utilize IIIf via the following workflow:

1. Create a theory session importing core IIIf modules.
2. Specify state-types, transition relations, and policy predicates.
3. Instantiate Kripke structures over infrastructure states.
4. Encode security goals as CTL formulas and attacks as concrete attack trees.
5. Carry out proofs using Isabelle/jEdit proof methods (simp, auto, etc.) and automated tactics (Sledgehammer).
6. Iterate by refining the model or policies, replaying attack-tree validity and CTL adequacy.
7. Use ML tactics for attack-tree generation and code export functions for provision of traceable explanations and documentation.

Automation is further supported by batch-building workflows, custom ML extension for default attack tree generation, and reporting tools for trace and proof extraction in LaTeX/HTML.

7. Significance and Scope

IIIf provides a mechanized, specification-driven approach to security engineering for dynamic, policy-rich infrastructures. Its formal meta-theory ensures property preservation under system evolution, supports direct reasoning about insiders and policy subversion, and yields explanations as precise as formal proofs—yet structured so that stakeholders outside the technical domain (e.g., auditors, risk managers) can trace the logical explanation from state transitions to attack-tree validity to security theorem discharge. The framework’s modularity and extensibility make it suitable for diverse domains, from critical infrastructure and avionics to distributed machine learning, privacy-preserving healthcare, and beyond (Kammüller, 2021, Kammüller et al., 2020, Kammüller, 14 Dec 2024, Kammüller, 6 Dec 2025, Kammüller, 2020).