Policy expressions and the bottom-up design of computing policies

A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. We present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence. Finally, we present 19 equivalence laws of policy expressions.

[1]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[2]  Hrishikesh B. Acharya,et al.  Policy Expressions and the Bottom-Up Design of Computing Policies , 2017, NETYS.

[3]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[4]  Ahmed Khoumsi,et al.  A Formal Approach to Verify Completeness and Detect Anomalies in Firewall Security Policies , 2014, FPS.

[5]  Ahmed Khoumsi,et al.  Automata-based approach to design and analyze security policies , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[6]  Ehab S. Elmallah,et al.  The Implication Problem of Computing Policies , 2015, SSS.

[7]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Sharad Malik,et al.  Verification and synthesis of firewalls using SAT and QBF , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[9]  Ehab S. Elmallah,et al.  Hardness of Firewall Analysis , 2014, IEEE Transactions on Dependable and Secure Computing.

[10]  Daniel Hoffman,et al.  Blowtorch: a framework for firewall test automation , 2005, ASE.

[11]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[12]  Hrishikesh B. Acharya,et al.  Firewall modules and modular firewalls , 2010, The 18th IEEE International Conference on Network Protocols.

[13]  Ahmed Khoumsi,et al.  An Approach to Resolve NP-Hard Problems of Firewalls , 2016, NETYS.

[14]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[15]  Hrishikesh B. Acharya,et al.  Analysis of Computing Policies Using SAT Solvers (Short Paper) , 2016, SSS.

[16]  Ahmed Khoumsi,et al.  A formal basis for the design and analysis of firewall security policies , 2018, J. King Saud Univ. Comput. Inf. Sci..

[17]  Hrishikesh B. Acharya,et al.  Rules in play: On the complexity of routing tables and firewalls , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).