Abstract
A computing policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iif the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. A policy P is called adequate iff P accepts at least one request. It has been shown earlier that the problem of determining whether a given policy is adequate (called the policy adequacy problem) is NP-hard. In this paper, we present an efficient algorithm that use SAT solvers to solve the policy adequacy problem. Experimental results show that our algorithm can determine whether a given policy with 90 K rules is adequate in about 3 min.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Files are available at http://www.cs.utexas.edu/~marijn/firewall.
References
Audemard, G., Simon, L.: Predicting learnt clauses quality in modern SAT solvers. In: Boutilier, C. (ed.) IJCAI 2009, pp. 399–404 (2009)
Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Heidelberg (2014). doi:10.1007/978-3-319-09581-3_11
Heule, M.J.H., Reaz, R., Acharya, H.B., Gouda, M.G.: Analysis of computing policies using sat solvers. In: Technical Report No. TR-16-14, Department of Computer Science, The Universisty of Texas at Austin (2016)
Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)
Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)
Acknowledgements
Research of M. J. H. Heule is supported by DARPA Contract FA8750-15-2-0096 and NSF Award CCF-1526760. Research of M. G. Gouda is supported by NSF Award 1440035.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Heule, M.J.H., Reaz, R., Acharya, H.B., Gouda, M.G. (2016). Analysis of Computing Policies Using SAT Solvers (Short Paper). In: Bonakdarpour, B., Petit, F. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2016. Lecture Notes in Computer Science(), vol 10083. Springer, Cham. https://doi.org/10.1007/978-3-319-49259-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-49259-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49258-2
Online ISBN: 978-3-319-49259-9
eBook Packages: Computer ScienceComputer Science (R0)