Abstract
A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. Finally, we present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Acharya, H.B., Gouda, M.G.: Projection and division: linear-space verification of firewalls. In: Proceedings of the 30th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 736–743. IEEE (2010)
Acharya, H.B., Joshi, A., Gouda, M.G.: Firewall modules and modular firewalls. In: Proceedings of the 18th IEEE International Conference on Network Protocols (ICNP), pp. 174–182. IEEE (2010)
Acharya, H.B., Kumar, S., Wadhwa, M., Shah, A.: Rules in play: on the complexity of routing tables and firewalls. In: Proceedings of the 24th IEEE International Conference on Network Protocols (ICNP). IEEE (2016)
Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Cham (2014). doi:10.1007/978-3-319-09581-3_11
Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. 51(4), 1106–1120 (2007)
Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)
Khoumsi, A., Erradi, M., Ayache, M., Krombi, W.: An approach to resolve NP-hard problems of firewalls. In: Abdulla, P.A., Delporte-Gallet, C. (eds.) NETYS 2016. LNCS, vol. 9944, pp. 229–243. Springer, Cham (2016). doi:10.1007/978-3-319-46140-3_19
Khoumsi, A., Krombi, W., Erradi, M.: A formal approach to verify completeness and detect anomalies in firewall security policies. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930, pp. 221–236. Springer, Cham (2015). doi:10.1007/978-3-319-17040-4_14
Krombi, W., Erradi, M., Khoumsi, A.: Automata-based approach to design and analyze security policies. In: Proceedings of the 12th Annual International Conference on Privacy, Security and Trust (PST), pp. 306–313. IEEE (2014)
Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. (TPDS) 19(9), 1237–1251 (2008)
Mayer, A., Wool, A., Ziskind, E.: Fang: a firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)
Reaz, R., Acharya, H.B., Elmallah, E.S., Cobb, J.A., Gouda, M.G.: Policy expressions and the bottom-up design of computing policies. Technical report No. TR-17-01, Department of Computer Science, The Universisty of Texas at Austin (2017). https://apps.cs.utexas.edu/apps/tech-reports
Reaz, R., Ali, M., Gouda, M.G., Heule, M.J.H., Elmallah, E.S.: The Implication Problem of Computing Policies. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 109–123. Springer, Cham (2015). doi:10.1007/978-3-319-21741-3_8
Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)
Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Reaz, R., Acharya, H.B., Elmallah, E.S., Cobb, J.A., Gouda, M.G. (2017). Policy Expressions and the Bottom-Up Design of Computing Policies. In: El Abbadi, A., Garbinato, B. (eds) Networked Systems. NETYS 2017. Lecture Notes in Computer Science(), vol 10299. Springer, Cham. https://doi.org/10.1007/978-3-319-59647-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-59647-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59646-4
Online ISBN: 978-3-319-59647-1
eBook Packages: Computer ScienceComputer Science (R0)