The Implication Problem of Computing Policies

  • Rezwana Reaz
  • Muqeet Ali
  • Mohamed G. Gouda
  • Marijn J. H. Heule
  • Ehab S. Elmallah
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9212)

Abstract

A computing policy is a sequence of rules, where each rule consists of a predicate and an action, and where each action is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the action of the first rule in P, that is matched by the request is “accept” (or “reject”, respectively). A pair of policies (P, Q) is called an accept-implication pair iff every request that is accepted by policy P is also accepted by policy Q. The implication problem of policies is to design an efficient algorithm that can take as input any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. Such an algorithm can support step-wise refinement methods for designing policies. In this paper, we present a polynomial algorithm that can take any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. The time complexity of this algorithm is \(\mathcal {O}\)((\(m + n\))\(^{t+2}\)), where m is the number of rules in policy P, n is the number of rules in policy Q, and t is the number of attributes in P or in Q. This time complexity is polynomial when t is fixed, as is usually the case.

Keywords

Policy Implication problem Step-wise refinement Firewalls Access control Routing 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Acharya, H.B., Gouda, M.G.: Linear-time verification of firewalls. In: Proceedings of the 17th IEEE International Conference on Network Protocols (ICNP), pp. 133–140. IEEE (2009)Google Scholar
  2. 2.
    Acharya, H.B., Gouda, M.G.: Projection and division: linear-space verification of firewalls. In: Proceedings of the 30th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 736–743. IEEE (2010)Google Scholar
  3. 3.
    Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: Proceedings of the 30th IEEE International Conference on Computer Communication (INFOCOM), pp. 2123–2128. IEEE (2011)Google Scholar
  4. 4.
    Elmallah, E.S., Acharya, H.B., Gouda, M.G.: Incremental verification of computing policies. In: Felber, P., Garg, V. (eds.) SSS 2014. LNCS, vol. 8756, pp. 226–236. Springer, Heidelberg (2014) Google Scholar
  5. 5.
    Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Heidelberg (2014) Google Scholar
  6. 6.
    Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)Google Scholar
  7. 7.
    Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers & Security 22(3), 214–232 (2003)CrossRefGoogle Scholar
  8. 8.
    Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Transactions on Parallel and Distributed Systems 19(9), 1237–1251 (2008)CrossRefGoogle Scholar
  9. 9.
    Liu, A.X., Gouda, M.G.: Complete redundancy removal for packet classifiers in TCAMs. IEEE Transactions on Parallel and Distributed Systems 21(4), 424–437 (2010)CrossRefGoogle Scholar
  10. 10.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)Google Scholar
  11. 11.
    Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)CrossRefGoogle Scholar
  12. 12.
    Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Rezwana Reaz
    • 1
  • Muqeet Ali
    • 1
  • Mohamed G. Gouda
    • 1
  • Marijn J. H. Heule
    • 1
  • Ehab S. Elmallah
    • 2
  1. 1.University of Texas at AustinAustinUSA
  2. 2.University of AlbertaEdmontonCanada

Personalised recommendations