Advertisement

Computing

, Volume 101, Issue 9, pp 1307–1326 | Cite as

Policy expressions and the bottom-up design of computing policies

  • Rezwana ReazEmail author
  • H. B. Acharya
  • Ehab S. Elmallah
  • Jorge A. Cobb
  • Mohamed G. Gouda
Article
  • 39 Downloads

Abstract

A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. We present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence. Finally, we present 19 equivalence laws of policy expressions.

Keywords

Policies Firewalls Access control Routing policies 

Mathematics Subject Classification

68-XX (primary) 68M10 68W99 03B70 03F60 (secondary) 

Notes

Acknowledgements

The authors are grateful to the reviewers for their detailed and encouraging comments on an earlier draft of this paper.

Funding

Funding was provided by National Science Foundation (1440035).

References

  1. 1.
    Acharya HB, Joshi A, Gouda MG (2010) Firewall modules and modular firewalls. In: Proceedings of the 18th IEEE international conference on network protocols (ICNP). IEEE, pp 174–182Google Scholar
  2. 2.
    Acharya HB, Kumar S, Wadhwa M, Shah A (2016) Rules in play: on the complexity of routing tables and firewalls. In: Proceedings of the 24th IEEE international conference on network protocols (ICNP). IEEEGoogle Scholar
  3. 3.
    Elmallah ES, Gouda MG (2014) Hardness of firewall analysis. In: Proceedings of the 2nd international conference on NETworked sYStems (NETYS), Lecture Notes in Computer Science, vol 8593. Springer, pp. 153–168Google Scholar
  4. 4.
    Gouda MG, Liu AX (2007) Structured firewall design. Comput Netw 51(4):1106–1120CrossRefzbMATHGoogle Scholar
  5. 5.
    Heule MJ, Reaz R, Acharya HB, Gouda MG (2016) Analysis of computing policies using sat solvers (short paper). In: Proceedings of the 18th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 190–194Google Scholar
  6. 6.
    Hoffman D, Yoo K (2005) Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM international conference on automated software engineering (ASE). ACM, pp 96–103Google Scholar
  7. 7.
    Kamara S, Fahmy S, Schultz E, Kerschbaum F, Frantzen M (2003) Analysis of vulnerabilities in internet firewalls. Comput Secur 22(3):214–232CrossRefGoogle Scholar
  8. 8.
    Khoumsi A, Erradi M, Ayache M, Krombi W (2016) An approach to resolve np-hard problems of firewalls. In: Proceedings of the 4th international conference on NETworked sYStems (NETYS). SpringerGoogle Scholar
  9. 9.
    Khoumsi A, Erradi M, Krombi W (2016) A formal basis for the design and analysis of firewall security policies. J King Saud Univ Comput Inf Sci 30(1):51–66Google Scholar
  10. 10.
    Khoumsi A, Krombi W, Erradi M (2014) A formal approach to verify completeness and detect anomalies in firewall security policies. In: Proceedings of the 7th international symposium on foundations and practice of security. Springer, pp 221–236Google Scholar
  11. 11.
    Krombi W, Erradi M, Khoumsi A (2014) Automata-based approach to design and analyze security policies. In: Proceedings of the 12th annual international conference on privacy, security and trust (PST). IEEE, pp 306–313Google Scholar
  12. 12.
    Liu AX, Gouda MG (2008) Diverse firewall design. IEEE Trans Parallel Distrib Syst 19(9):1237–1251CrossRefGoogle Scholar
  13. 13.
    Mayer A, Wool A, Ziskind E (2000) Fang: a firewall analysis engine. In: Proceedings of IEEE symposium on security and privacy. IEEE, pp 177–187Google Scholar
  14. 14.
    Papadimitriou CH (2003) Computational complexity. Wiley, New YorkzbMATHGoogle Scholar
  15. 15.
    Reaz R, Acharya HB, Elmallah ES, Cobb JA, Gouda MG (2017) Policy expressions and the bottom-up design of computing policies. In: Technical report no. TR-17-01, Department of Computer Science, The Universisty of Texas at Austin. https://apps.cs.utexas.edu/apps/tech-reports
  16. 16.
    Reaz R, Ali M, Gouda MG, Heule MJ, Elmallah ES (2015) The implication problem of computing policies. In: Proceedings of the 17th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 109–123Google Scholar
  17. 17.
    Wool A (2004) A quantitative study of firewall configuration errors. Computer 37(6):62–67CrossRefGoogle Scholar
  18. 18.
    Zhang S, Mahmoud A, Malik S, Narain S (2012) Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE international conference on network protocols (ICNP). IEEE, pp 1–6Google Scholar

Copyright information

© Springer-Verlag GmbH Austria, part of Springer Nature 2018

Authors and Affiliations

  1. 1.University of Texas at AustinAustinUSA
  2. 2.Rochester Institute of TechnologyRochesterUSA
  3. 3.University of AlbertaEdmontonCanada
  4. 4.University of Texas at DallasRichardsonUSA

Personalised recommendations