Formal firewall conformance testing: an application of test and proof techniques

Firewalls are an important means to secure critical ICT infrastructures. As configurable off‐the‐shelf products, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification‐based conformance test case generation approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics‐preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[2]  Mark Harman,et al.  Branch-Coverage Testability Transformation for Unstructured Programs , 2005, Comput. J..

[3]  Uday S. Reddy,et al.  Imperative functional programming , 1996, CSUR.

[4]  Mark Harman,et al.  Testability Transformation - Program Transformation to Improve Testability , 2008, Formal Methods and Testing.

[5]  Tao Xie,et al.  Systematic Structural Testing of Firewall Policies , 2012, IEEE Transactions on Network and Service Management.

[6]  Rachida Dssouli,et al.  Communications software design for testability: specification transformations and testability measures , 1999, Inf. Softw. Technol..

[7]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[8]  Adel Bouhoula,et al.  Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements , 2008, CISIS.

[9]  Achim D. Brucker,et al.  A verification approach to applied system security , 2004, International Journal on Software Tools for Technology Transfer.

[10]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[11]  Achim D. Brucker,et al.  Verifying Test-Hypotheses: An Experiment in Test and Proof , 2008, MBT@ETAPS.

[12]  Jon Postel,et al.  File Transfer Protocol , 1985, RFC.

[13]  Eric Torng,et al.  Firewall Compressor: An Algorithm for Minimizing Firewall Policies , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[14]  M. Petró‐Turza,et al.  The International Organization for Standardization. , 2003 .

[15]  Achim D. Brucker,et al.  Model-Based Firewall Conformance Testing , 2008, TestCom/FATES.

[16]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[17]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[18]  Achim D. Brucker,et al.  Verified Firewall Policy Transformations for Test Case Generation , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[19]  Adel Bouhoula,et al.  Dealing with Stateful Firewall Checking , 2011, DICTAP.

[20]  Achim D. Brucker,et al.  An approach to modular and testable security models of real-world health-care applications , 2011, SACMAT '11.

[21]  Peter B. Andrews An introduction to mathematical logic and type theory - to truth through proof , 1986, Computer science and applied mathematics.

[22]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[23]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[24]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[25]  Sofiène Tahar,et al.  DOMAIN RESTRICTION BASED FORMAL MODEL FOR FIREWALL CONFIGURATIONS , 2013 .

[26]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[27]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[28]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[29]  Achim D. Brucker,et al.  On theorem prover-based testing , 2012, Formal Aspects of Computing.

[30]  Achim D. Brucker,et al.  HOL-TestGen 1.8.0 User Guide , 2010 .

[31]  Lukas Alexander Brügger A framework for modelling and testing of security policies , 2012 .

[32]  Harry D. Raduege,et al.  Securing Cyberspace for the 44th Presidency , 2008 .

[33]  Stan Matwin,et al.  Formal correctness of conflict detection for firewalls , 2007, FMSE '07.

[34]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[35]  Mark Harman,et al.  Testability transformation , 2004, IEEE Transactions on Software Engineering.

[36]  Achim D. Brucker,et al.  Test-Sequence Generation with Hol-TestGen with an Application to Firewall Testing , 2007, TAP.

[37]  Marie-Claude Gaudel,et al.  Testing Can Be Formal, Too , 1995, TAPSOFT.

[38]  Mark Harman,et al.  Open Problems in Testability Transformation , 2008, 2008 IEEE International Conference on Software Testing Verification and Validation Workshop.

[39]  Achim D. Brucker,et al.  hol-TestGen/fw - An Environment for Specification-Based Firewall Conformance Testing , 2013, ICTAC.

[40]  Robert M. Marmorstein,et al.  Firewall Analysis with Policy-based Host Classification , 2006, LISA.