The Implication Problem of Computing Policies

Reaz, Rezwana; Ali, Muqeet; Gouda, Mohamed G.; Heule, Marijn J. H.; Elmallah, Ehab S.

doi:10.1007/978-3-319-21741-3_8

The Implication Problem of Computing Policies

Rezwana Reaz¹⁵,
Muqeet Ali¹⁵,
Mohamed G. Gouda¹⁵,
Marijn J. H. Heule¹⁵ &
…
Ehab S. Elmallah¹⁶

Conference paper
First Online: 01 January 2015

968 Accesses
3 Citations

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9212))

Abstract

A computing policy is a sequence of rules, where each rule consists of a predicate and an action, and where each action is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the action of the first rule in P, that is matched by the request is “accept” (or “reject”, respectively). A pair of policies (P, Q) is called an accept-implication pair iff every request that is accepted by policy P is also accepted by policy Q. The implication problem of policies is to design an efficient algorithm that can take as input any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. Such an algorithm can support step-wise refinement methods for designing policies. In this paper, we present a polynomial algorithm that can take any policy pair (P, Q) and determine whether (P, Q) is an accept-implication pair. The time complexity of this algorithm is \(\mathcal {O}\)((\(m + n\))\(^{t+2}\)), where m is the number of rules in policy P, n is the number of rules in policy Q, and t is the number of attributes in P or in Q. This time complexity is polynomial when t is fixed, as is usually the case.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 44.99; Price excludes VAT (USA)

Softcover Book: USD 59.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Acharya, H.B., Gouda, M.G.: Linear-time verification of firewalls. In: Proceedings of the 17th IEEE International Conference on Network Protocols (ICNP), pp. 133–140. IEEE (2009)
Google Scholar
Acharya, H.B., Gouda, M.G.: Projection and division: linear-space verification of firewalls. In: Proceedings of the 30th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 736–743. IEEE (2010)
Google Scholar
Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: Proceedings of the 30th IEEE International Conference on Computer Communication (INFOCOM), pp. 2123–2128. IEEE (2011)
Google Scholar
Elmallah, E.S., Acharya, H.B., Gouda, M.G.: Incremental verification of computing policies. In: Felber, P., Garg, V. (eds.) SSS 2014. LNCS, vol. 8756, pp. 226–236. Springer, Heidelberg (2014)
Google Scholar
Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Heidelberg (2014)
Google Scholar
Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)
Google Scholar
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers & Security 22(3), 214–232 (2003)
Article Google Scholar
Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Transactions on Parallel and Distributed Systems 19(9), 1237–1251 (2008)
Article Google Scholar
Liu, A.X., Gouda, M.G.: Complete redundancy removal for packet classifiers in TCAMs. IEEE Transactions on Parallel and Distributed Systems 21(4), 424–437 (2010)
Article Google Scholar
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)
Google Scholar
Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)
Article Google Scholar
Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Texas at Austin, Austin, TX, 78712, USA
Rezwana Reaz, Muqeet Ali, Mohamed G. Gouda & Marijn J. H. Heule
University of Alberta, Edmonton, AB, T6G 2R3, Canada
Ehab S. Elmallah

Authors

Rezwana Reaz
View author publications
You can also search for this author in PubMed Google Scholar
Muqeet Ali
View author publications
You can also search for this author in PubMed Google Scholar
Mohamed G. Gouda
View author publications
You can also search for this author in PubMed Google Scholar
Marijn J. H. Heule
View author publications
You can also search for this author in PubMed Google Scholar
Ehab S. Elmallah
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rezwana Reaz .

Editor information

Editors and Affiliations

Université du Québec en Outaouais, Gatineau, QC, Canada
Andrzej Pelc
University of Connecticut, Storrs, Connecticut, USA
Alexander A. Schwarzmann

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Reaz, R., Ali, M., Gouda, M.G., Heule, M.J.H., Elmallah, E.S. (2015). The Implication Problem of Computing Policies. In: Pelc, A., Schwarzmann, A. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2015. Lecture Notes in Computer Science(), vol 9212. Springer, Cham. https://doi.org/10.1007/978-3-319-21741-3_8

Download citation

DOI: https://doi.org/10.1007/978-3-319-21741-3_8
Published: 04 August 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21740-6
Online ISBN: 978-3-319-21741-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics