Abstract
A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. We present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence. Finally, we present 19 equivalence laws of policy expressions.
Similar content being viewed by others
References
Acharya HB, Joshi A, Gouda MG (2010) Firewall modules and modular firewalls. In: Proceedings of the 18th IEEE international conference on network protocols (ICNP). IEEE, pp 174–182
Acharya HB, Kumar S, Wadhwa M, Shah A (2016) Rules in play: on the complexity of routing tables and firewalls. In: Proceedings of the 24th IEEE international conference on network protocols (ICNP). IEEE
Elmallah ES, Gouda MG (2014) Hardness of firewall analysis. In: Proceedings of the 2nd international conference on NETworked sYStems (NETYS), Lecture Notes in Computer Science, vol 8593. Springer, pp. 153–168
Gouda MG, Liu AX (2007) Structured firewall design. Comput Netw 51(4):1106–1120
Heule MJ, Reaz R, Acharya HB, Gouda MG (2016) Analysis of computing policies using sat solvers (short paper). In: Proceedings of the 18th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 190–194
Hoffman D, Yoo K (2005) Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM international conference on automated software engineering (ASE). ACM, pp 96–103
Kamara S, Fahmy S, Schultz E, Kerschbaum F, Frantzen M (2003) Analysis of vulnerabilities in internet firewalls. Comput Secur 22(3):214–232
Khoumsi A, Erradi M, Ayache M, Krombi W (2016) An approach to resolve np-hard problems of firewalls. In: Proceedings of the 4th international conference on NETworked sYStems (NETYS). Springer
Khoumsi A, Erradi M, Krombi W (2016) A formal basis for the design and analysis of firewall security policies. J King Saud Univ Comput Inf Sci 30(1):51–66
Khoumsi A, Krombi W, Erradi M (2014) A formal approach to verify completeness and detect anomalies in firewall security policies. In: Proceedings of the 7th international symposium on foundations and practice of security. Springer, pp 221–236
Krombi W, Erradi M, Khoumsi A (2014) Automata-based approach to design and analyze security policies. In: Proceedings of the 12th annual international conference on privacy, security and trust (PST). IEEE, pp 306–313
Liu AX, Gouda MG (2008) Diverse firewall design. IEEE Trans Parallel Distrib Syst 19(9):1237–1251
Mayer A, Wool A, Ziskind E (2000) Fang: a firewall analysis engine. In: Proceedings of IEEE symposium on security and privacy. IEEE, pp 177–187
Papadimitriou CH (2003) Computational complexity. Wiley, New York
Reaz R, Acharya HB, Elmallah ES, Cobb JA, Gouda MG (2017) Policy expressions and the bottom-up design of computing policies. In: Technical report no. TR-17-01, Department of Computer Science, The Universisty of Texas at Austin. https://apps.cs.utexas.edu/apps/tech-reports
Reaz R, Ali M, Gouda MG, Heule MJ, Elmallah ES (2015) The implication problem of computing policies. In: Proceedings of the 17th international symposium on stabilization, safety, and security of distributed systems. Springer, pp 109–123
Wool A (2004) A quantitative study of firewall configuration errors. Computer 37(6):62–67
Zhang S, Mahmoud A, Malik S, Narain S (2012) Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE international conference on network protocols (ICNP). IEEE, pp 1–6
Acknowledgements
The authors are grateful to the reviewers for their detailed and encouraging comments on an earlier draft of this paper.
Funding
Funding was provided by National Science Foundation (1440035).
Author information
Authors and Affiliations
Corresponding author
A proofs of equivalence laws
A proofs of equivalence laws
Proof of Elementary Law 1: (\({\varvec{PE_1}}\)and\({\varvec{FE}}) = ({\varvec{FE}}\)):
No request is accepted by the policy expression (FE). Thus, the reject rules in each slice in the base of (FE) covers the accept rule of that slice. Hence, the reject rules in each slice in the base of (\(PE_1\) and FE) covers the accept rule of that slice. Therefore, no request is accepted by (\(PE_1\) and FE). Thus, the two expressions (\(PE_1\) and FE) and (FE) are equivalent.
Proofs of Elementary Laws 2, 3, and 4 are similar and are presented in [15].
Proof of Idempotence Law 1: (not(not (\({\varvec{PE_1}}))) = ({\varvec{PE_1}}\)):
Our proof is by induction on the rank of the policy expression \(PE_1\). (Recall that the rank of a policy expression is defined in the proof of Theorem 1.) The induction proof consists of two parts: a base case and an induction step.
Base Case: We prove that if the rank of \(PE_1\) is 0 then the two policy expressions (not(not(\(PE_1\)))) and (\(PE_1\)) are equivalent. This proof proceeds as follows. Because the rank of \(PE_1\) is 0 then \(PE_1\) is either of the form complete policy P or of the form complete policy not(P). If \(PE_1\) is of the form complete policy P, then the two policy expressions (not(not(P))) and (P) are equivalent. On the other hand, if \(PE_1\) is of the form complete policy not(P), then the two policy expressions not(not(P)) and (P) are equivalent and the two policy expressions (not(not(not(P)))) and (not(P)) are equivalent.
Induction Step: We assume that for every \(PE_1\) of rank \(k_1\) or less, the two policy expressions (not(not(\(PE_1\)))) and (\(PE_1\)) are equivalent.
We then use this assumption (often called the Induction Hypothesis) to prove that for every \(PE_1\) of rank (\(k_1\) + 1), the two policy expressions (not(not(PE1))) and (PE1) are equivalent. Let \(PE_1\) be any policy expression of rank (\(k_1\) + 1). In this case, \(PE_1\) is either of the form (\(PE_2\) or \(PE_3\)) or of the form (\(PE_2\) and \(PE_3\)), where the rank \(k_2\) of \(PE_2\) is \(k_1\) or less and the rank \(k_3\) of \(PE_3\) is \(k_1\) or less. In the rest of this proof, we focus on the case where \(PE_1\) is of the form (\(PE_2\) or \(PE_3\)). (The proof for the case where \(PE_1\) is of the form (\(PE_2\) and \(PE_3\)) is similar.) We have to prove that the two policy expressions (not(not(\(PE_2\) or \(PE_3\)))) and (\(PE_2\) or \(PE_3\)) are equivalent. The induction step proceeds as follows:
-
(1)
From the definition of not(\(\langle \) a policy expression\(\rangle \)), the two policy expressions not(\(PE_2\) or \(PE_3\)) and (not(\(PE_2\)) and not(\(PE_3\))) are equivalent.
-
(2)
From (1) and the definition of not(\(\langle \) a policy expression\(\rangle \)), the two policy expressions (not(not(\(PE_2\) or \(PE_3\)))) and (not(not(\(PE_2\))) or not(not(\(PE_3\)))) are equivalent.
-
(3)
From the induction hypothesis, the two policy expressions (not(not(\(PE_2\)))) and (\(PE_2\)) are equivalent and the two policy expressions (not(not(\(PE_3\)))) and (\(PE_3\)) are equivalent.
-
(4)
From (2) and (3), the two policy expressions (not(not(\(PE_2\) or \(PE_3\)))) and (\(PE_2\) or \(PE_3\)) are equivalent.
Proofs of Idempotence Laws 2, 3, 4, and 5 are similar and are presented in [15].
Proof of Symmetry Law 1: (\({\varvec{PE_1}}\)and\({\varvec{PE_2}}) = ({\varvec{PE_2}}\)and\({\varvec{PE_1}}\)):
The base of (\(PE_1\) and \(PE_2\)) is identical to the base of (\(PE_2\) and \(PE_1\)). Thus, the request set associated with (\(PE_1\) and \(PE_2\)) is identical to the request set associated with (\(PE_2\) and \(PE_1\)). Therefore, the two policy expressions (\(PE_1\) and \(PE_2\)) and (\(PE_2\) and \(PE_1\)) are equivalent.
Proof of Symmetry Law 2 is similar and is presented in [15].
Proof of Absorption Law 1: (\({\varvec{PE_1}}\)and (\({\varvec{PE_1}}\)or\({\varvec{PE_2}})) = ({\varvec{PE_1}}\)):
We need to prove two cases: (1) if (\(PE_1\) and (\(PE_1\) or \(PE_2\))) accepts a request rq then (\(PE_1\)) accepts rq, and (2) if (\(PE_1\)) accepts a request rq then (\(PE_1\) and (\(PE_1\) or \(PE_2\))) accepts rq.
Proof of Case (1): Assume that (\(PE_1\) and (\(PE_1\) or \(PE_2\))) accepts a request rq. Thus, rq is accepted by a slice sl in the base of (\(PE_1\) and (\(PE_1\) or \(PE_2\))). Slice sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\)) and \(sl''\) in the base of (\(PE_1\) or \(PE_2\)). Hence, rq is accepted by slice \(sl'\) in the base of (\(PE_1\)). Therefore (\(PE_1\)) accepts rq.
Proof of Case (2): Assume that (\(PE_1\)) accepts a request rq. Thus, rq is accepted by a slice sl in the base of (\(PE_1\)). Because slice sl is also in the base of (\(PE_1\) or \(PE_2\)), rq is accepted by a slice sl in the base of (\(PE_1\) or \(PE_2\)). Slice sl can be viewed as the intersection of the two slices sl in the base of (\(PE_1\)) and sl in the base of (\(PE_1\) or \(PE_2\)). Hence, rq is accepted by slice sl which is in the base of (\(PE_1\) and (\(PE_1\) or \(PE_2\))). Therefore, (\(PE_1\) and (\(PE_1\) or \(PE_2\))) accepts rq.
Proof of Absorption Law 2 is similar and is presented in [15].
Proof of De-Morgan’s Law 1: (not(\({\varvec{PE_1}}\)and\({\varvec{PE_2}}))\) = (not(\({\varvec{PE_1}}\)) ornot(\({\varvec{PE_2}}\))):
From definition of not(\(\langle \) a policy expression\(\rangle \)), the two policy expressions (not(\(PE_1\) and \(PE_2\))) and (not(\(PE_1\)) or not(\(PE_2\))) are equivalent.
The proof of De-Morgan’s Law 2 is similar and is presented in [15].
Proof of Distribution Law 1: (\({\varvec{PE_1}}\)and (\({\varvec{PE_2}}\)or\({\varvec{PE_3}})) = (({\varvec{PE_1}}\)and\({\varvec{PE_2}}\)) or (\({\varvec{PE_1}}\)and\({\varvec{PE_3}}\))):
We need to prove two cases: (1) if (\(PE_1\) and (\(PE_2\) or \(PE_3\))) accepts a request rq then ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))) accepts rq, and (2) if ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))) accepts a request rq then (\(PE_1\) and (\(PE_2\) or \(PE_3\))) accepts rq.
Proof of Case (1): Assume that (\(PE_1\) and (\(PE_2\) or \(PE_3\))) accepts a request rq. Thus, rq is accepted by a slice sl in the base of (\(PE_1\) and (\(PE_2\) or \(PE_3\))). Slice sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\)) and \(sl''\) in the base of (\(PE_2\) or \(PE_3\)). Since slice \(sl''\) is in the base of (\(PE_2\) or \(PE_3\)), so \(sl''\) is also in the base of (\(PE_2\)) or is in the base of (\(PE_3\)). If \(sl''\) is in the base of (\(PE_2\)), then slice sl is also in the base of (\(PE_1\) and \(PE_2\)). If \(sl''\) is in the base of (\(PE_3\)), then slice sl is also in the base of (\(PE_1\) and \(PE_3\)). Therefore slice sl is in the base of ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))). Thus, rq is accepted by slice sl in the base of ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))). Therefore ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))) accepts rq.
Proof of Case (2): Assume that ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))) accepts a request rq. Thus, rq is accepted by a slice sl in the base of ((\(PE_1\) and \(PE_2\)) or (\(PE_1\) and \(PE_3\))). Hence, slice sl is in the base of (\(PE_1\) and \(PE_2\)) or is in the base of (\(PE_1\) and \(PE_3\)). If slice sl is in the base of (\(PE_1\) and \(PE_2\)), sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\)) and \(sl''\) in the base of (\(PE_2\)). Because slice \(sl''\) is also in the base of (\(PE_2\) or \(PE_3\)), slice sl is in the base of (\(PE_1\) and (\(PE_2\) or \(PE_3\))). If slice sl is in the base of (\(PE_1\) and \(PE_3\)), sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\)) and \(sl''\) in the base of (\(PE_3\)). Because slice \(sl''\) is also in the base of (\(PE_2\) or \(PE_3\)), slice sl is in the base of (\(PE_1\) and (\(PE_2\) or \(PE_3\))). Thus, rq is accepted by a slice in the base of (\(PE_1\) and (\(PE_2\) or \(PE_3\))). Therefore, (\(PE_1\) and (\(PE_2\) or \(PE_3\))) accepts rq.
Proof of Distribution Law 2 is similar and is presented in [15].
Proof of Associativity Law 1: (\({\varvec{PE_1}}\)and (\({\varvec{PE_2}}\)and\({\varvec{PE_3}})) = (({\varvec{PE_1}}\)and\({\varvec{PE_2}}\)) and\({\varvec{PE_3}}\)):
We need to prove two cases: (1) if (\(PE_1\) and (\(PE_2\) and \(PE_3\))) accepts a request rq then ((\(PE_1\) and \(PE_2\)) and \(PE_3\)) accepts rq, and (2) if ((\(PE_1\) and \(PE_2\)) and \(PE_3\)) accepts a request rq then (\(PE_1\) and (\(PE_2\) and \(PE_3\))) accepts rq.
Proof of Case (1): Assume that (\(PE_1\) and (\(PE_2\) and \(PE_3\))) accepts a request rq. Thus, rq is accepted by a slice sl in the base of (\(PE_1\) and (\(PE_2\) and \(PE_3\))). Slice sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\)) and \(sl''\) in the base of (\(PE_2\) and \(PE_3\)). Also, slice \(sl''\) is the intersection of two slices \(sl_1''\) in the base of (\(PE_2\)) and \(sl_2''\) in the base of (\(PE_3\)). Since slice sl accepts rq, rq is accepted by \(sl'\) and \(sl''\). Also rq is accepted by \(sl_1''\) and \(sl_2''\). Hence, rq is accepted by the intersection slice \(s_1\) of the two slices \(sl'\) and \(sl_1'\), which is in the base of (\(PE_1\) and \(PE_2\)). Moreover, rq is accepted by the intersection slice \(s_2\) of the two slices \(s_1\) and \(sl_2''\), which is in the base of ((\(PE_1\) and \(PE_2\)) and \(PE_3\)). Therefore, ((\(PE_1\) and \(PE_2\)) and \(PE_3\)) accepts rq.
Proof of Case (2): Assume that ((\(PE_1\) and \(PE_2\)) and \(PE_3\)) accepts a request rq. Thus, rq is accepted by a slice sl in the base of ((\(PE_1\) and \(PE_2\)) and \(PE_3\)). Slice sl is the intersection of two slices \(sl'\) in the base of (\(PE_1\) and \(PE_2\)) and \(sl''\) in the base of (\(PE_3\)). Also, slice \(sl'\) is the intersection of two slices \(sl_1'\) in the base of (\(PE_1\)) and \(sl_2'\) in the base of (\(PE_2\)). Since slice sl accepts rq, rq is accepted by \(sl'\) and \(sl''\). Also rq is accepted by \(sl_1'\) and \(sl_2'\). Hence, rq is accepted by the intersection slice \(s_1\) of the two slices \(sl_2'\) and \(sl''\), which is in the base of (\(PE_2\) and \(PE_3\)). Moreover, rq is accepted by the intersection slice \(s_2\) of the two slices \(sl_1'\) and \(s_1\), which is in the base of (\(PE_1\) and (\(PE_2\) and \(PE_3\))). Therefore, (\(PE_1\) and (\(PE_2\) and \(PE_3\))) accepts rq.
Proof of Associativity Law 2 is similar and is presented in [15].
Rights and permissions
About this article
Cite this article
Reaz, R., Acharya, H.B., Elmallah, E.S. et al. Policy expressions and the bottom-up design of computing policies. Computing 101, 1307–1326 (2019). https://doi.org/10.1007/s00607-018-0655-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-018-0655-0