Verifying Security Policies Using Host Attributes

  • Cornelius Diekmann
  • Stephan-A. Posselt
  • Heiko Niedermayer
  • Holger Kinkelin
  • Oliver Hanka
  • Georg Carle
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8461)


For the formal verification of a network security policy, it is crucial to express the verification goals. These formal goals, called security invariants, should be easy to express for the end user. Focusing on access control and information flow security strategies, this work discovers and proves universal insights about security invariants. This enables secure and convenient auto-completion of host attribute configurations. We demonstrate our results in a civil aviation scenario. All results are machine-verified with the Isabelle/HOL theorem prover.


  1. 1.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31. IEEE (1999)Google Scholar
  2. 2.
    Bell, D.: Looking back at the Bell-La Padula model. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 337–351 (December 2005)Google Scholar
  3. 3.
    Bell, D., LaPadula, L.: Secure computer systems: A mathematical model. MTR-2547, vol. II. The MITRE Corporation, Bedford (1973)Google Scholar
  4. 4.
    Bera, P., Ghosh, S., Dasgupta, P.: Policy based security analysis in enterprise networks: A formal approach. IEEE Transactions on Network and Service Management 7(4), 231–243 (2010)CrossRefGoogle Scholar
  5. 5.
    Bishop, M.: What is computer security? IEEE Security & Privacy 1 (February 2003)Google Scholar
  6. 6.
    Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2007, pp. 1–12. ACM, New York (2007)CrossRefGoogle Scholar
  7. 7.
    Common Criteria: Security assurance components. Common Criteria for Information Technology Security Evaluation CCMB-2012-09-003 (September 2012),
  8. 8.
    Craven, R., Lobo, J., Ma, J., Russo, A., Lupu, E., Bandara, A.: Expressive policy analysis with enhanced system dynamicity. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 239–250. ACM, New York (2009)Google Scholar
  9. 9.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Diekmann, C., Hanka, O., Posselt, S.-A., Schlatt, M.: Imaginary aircraft cabin data network (toy example) (July 2013),
  12. 12.
    Eckert, C.: IT-Sicherheit: Konzepte-Verfahren-Protokolle, 8th edn. Oldenbourg Verlag (2013) ISBN 3486721380Google Scholar
  13. 13.
    Gong, L., Qian, X.: The complexity and composability of secure interoperation. In: Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 190–200 (1994)Google Scholar
  14. 14.
    Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008)CrossRefGoogle Scholar
  15. 15.
    Guttman, J.D., Herzog, A.L.: Rigorous automated network security management. International Journal of Information Security 4, 29–48 (2005)CrossRefGoogle Scholar
  16. 16.
    Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) FLOPS 2010. LNCS, vol. 6009, pp. 103–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Communications Magazine 44(3), 134–141 (2006)CrossRefGoogle Scholar
  18. 18.
    Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Networked Systems Design and Implementation, NSDI 2012. USENIX Association, Berkeley (2012)Google Scholar
  19. 19.
    McCullough, D.: A hookup theorem for multilevel security. IEEE Transactions on Software Engineering 16(6), 563–568 (1990)CrossRefGoogle Scholar
  20. 20.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002) (last updated 2013)Google Scholar
  21. 21.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Cornelius Diekmann
    • 1
  • Stephan-A. Posselt
    • 1
  • Heiko Niedermayer
    • 1
  • Holger Kinkelin
    • 1
  • Oliver Hanka
    • 2
  • Georg Carle
    • 1
  1. 1.Technische Universität MünchenMünchenGermany
  2. 2.Airbus Group InnovationsMünchenGermany

Personalised recommendations