Abstract
A computing policy is a sequence of rules, where each rule consists of a predicate and an action, and where each action is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the action of the first rule in P, that is matched by the request is “accept” (or “reject”, respectively). A pair of policies (P, Q) is called an accept-implication pair iff every request that is accepted by policy P is also accepted by policy Q. The implication problem of policies is to design an efficient algorithm that can take as input any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. Such an algorithm can support step-wise refinement methods for designing policies. In this paper, we present a polynomial algorithm that can take any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. The time complexity of this algorithm is \(\mathcal {O}\)((\(m + n\))\(^{t+2}\)), where m is the number of rules in policy P, n is the number of rules in policy Q, and t is the number of attributes in P or in Q. This time complexity is polynomial when t is fixed, as is usually the case.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Acharya, H.B., Gouda, M.G.: Linear-time verification of firewalls. In: Proceedings of the 17th IEEE International Conference on Network Protocols (ICNP), pp. 133–140. IEEE (2009)
Acharya, H.B., Gouda, M.G.: Projection and division: linear-space verification of firewalls. In: Proceedings of the 30th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 736–743. IEEE (2010)
Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: Proceedings of the 30th IEEE International Conference on Computer Communication (INFOCOM), pp. 2123–2128. IEEE (2011)
Elmallah, E.S., Acharya, H.B., Gouda, M.G.: Incremental verification of computing policies. In: Felber, P., Garg, V. (eds.) SSS 2014. LNCS, vol. 8756, pp. 226–236. Springer, Heidelberg (2014)
Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Heidelberg (2014)
Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers & Security 22(3), 214–232 (2003)
Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Transactions on Parallel and Distributed Systems 19(9), 1237–1251 (2008)
Liu, A.X., Gouda, M.G.: Complete redundancy removal for packet classifiers in TCAMs. IEEE Transactions on Parallel and Distributed Systems 21(4), 424–437 (2010)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)
Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)
Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Reaz, R., Ali, M., Gouda, M.G., Heule, M.J.H., Elmallah, E.S. (2015). The Implication Problem of Computing Policies. In: Pelc, A., Schwarzmann, A. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2015. Lecture Notes in Computer Science(), vol 9212. Springer, Cham. https://doi.org/10.1007/978-3-319-21741-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-21741-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21740-6
Online ISBN: 978-3-319-21741-3
eBook Packages: Computer ScienceComputer Science (R0)