# Policy expressions and the bottom-up design of computing policies

- 30 Downloads

## Abstract

A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy *P* is said to accept (or reject, respectively) a request iff the decision of the first rule in *P*, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. We present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence. Finally, we present 19 equivalence laws of policy expressions.

## Keywords

Policies Firewalls Access control Routing policies## Mathematics Subject Classification

68-XX (primary) 68M10 68W99 03B70 03F60 (secondary)## Notes

### Acknowledgements

The authors are grateful to the reviewers for their detailed and encouraging comments on an earlier draft of this paper.

### Funding

Funding was provided by National Science Foundation (1440035).

## References

- 1.Acharya HB, Joshi A, Gouda MG (2010) Firewall modules and modular firewalls. In: Proceedings of the 18th IEEE international conference on network protocols (ICNP). IEEE, pp 174–182Google Scholar
- 2.Acharya HB, Kumar S, Wadhwa M, Shah A (2016) Rules in play: on the complexity of routing tables and firewalls. In: Proceedings of the 24th IEEE international conference on network protocols (ICNP). IEEEGoogle Scholar
- 3.Elmallah ES, Gouda MG (2014) Hardness of firewall analysis. In: Proceedings of the 2nd international conference on NETworked sYStems (NETYS), Lecture Notes in Computer Science, vol 8593. Springer, pp. 153–168Google Scholar
- 4.Gouda MG, Liu AX (2007) Structured firewall design. Comput Netw 51(4):1106–1120CrossRefzbMATHGoogle Scholar
- 5.Heule MJ, Reaz R, Acharya HB, Gouda MG (2016) Analysis of computing policies using sat solvers (short paper). In: Proceedings of the 18th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 190–194Google Scholar
- 6.Hoffman D, Yoo K (2005) Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM international conference on automated software engineering (ASE). ACM, pp 96–103Google Scholar
- 7.Kamara S, Fahmy S, Schultz E, Kerschbaum F, Frantzen M (2003) Analysis of vulnerabilities in internet firewalls. Comput Secur 22(3):214–232CrossRefGoogle Scholar
- 8.Khoumsi A, Erradi M, Ayache M, Krombi W (2016) An approach to resolve np-hard problems of firewalls. In: Proceedings of the 4th international conference on NETworked sYStems (NETYS). SpringerGoogle Scholar
- 9.Khoumsi A, Erradi M, Krombi W (2016) A formal basis for the design and analysis of firewall security policies. J King Saud Univ Comput Inf Sci 30(1):51–66Google Scholar
- 10.Khoumsi A, Krombi W, Erradi M (2014) A formal approach to verify completeness and detect anomalies in firewall security policies. In: Proceedings of the 7th international symposium on foundations and practice of security. Springer, pp 221–236Google Scholar
- 11.Krombi W, Erradi M, Khoumsi A (2014) Automata-based approach to design and analyze security policies. In: Proceedings of the 12th annual international conference on privacy, security and trust (PST). IEEE, pp 306–313Google Scholar
- 12.Liu AX, Gouda MG (2008) Diverse firewall design. IEEE Trans Parallel Distrib Syst 19(9):1237–1251CrossRefGoogle Scholar
- 13.Mayer A, Wool A, Ziskind E (2000) Fang: a firewall analysis engine. In: Proceedings of IEEE symposium on security and privacy. IEEE, pp 177–187Google Scholar
- 14.Papadimitriou CH (2003) Computational complexity. Wiley, New YorkzbMATHGoogle Scholar
- 15.Reaz R, Acharya HB, Elmallah ES, Cobb JA, Gouda MG (2017) Policy expressions and the bottom-up design of computing policies. In: Technical report no. TR-17-01, Department of Computer Science, The Universisty of Texas at Austin. https://apps.cs.utexas.edu/apps/tech-reports
- 16.Reaz R, Ali M, Gouda MG, Heule MJ, Elmallah ES (2015) The implication problem of computing policies. In: Proceedings of the 17th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 109–123Google Scholar
- 17.Wool A (2004) A quantitative study of firewall configuration errors. Computer 37(6):62–67CrossRefGoogle Scholar
- 18.Zhang S, Mahmoud A, Malik S, Narain S (2012) Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE international conference on network protocols (ICNP). IEEE, pp 1–6Google Scholar