Skip to main content
SpringerLink
Log in

Automata-Based Bottom-Up Design of Conflict-Free Security Policies Specified as Policy Expressions

  • Conference paper
  • First Online:
Networked Systems (NETYS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 11028))

Included in the following conference series:

  • 406 Accesses

Abstract

Security policies (or more briefly: policies) are used to filter accesses to computing resources. A policy is usually specified by a table of rules, where each rule specifies conditions to accept or reject an access request. Since the acceptance of malicious requests or the rejection of legitimate requests may lead to serious consequences, the correct design of policies is very important. The present paper is inspired by two works: the first one uses an automata-based method to design policies, while the second one suggests a bottom-up design method of policies specified as policy expressions. A policy expression looks like a boolean expression, where policies are composed using three operators: \(\lnot \), \(\wedge \), \(\vee \). In this paper, we generalize the automata-based method for the bottom-up design of policies specified as policy expressions. In our context, designing a policy specified as a policy expression \( PE \) amounts to constructing an automaton \(\varGamma _{ PE }\) that models the access control specified in \( PE \). To respect the essence of bottom-up design, the automaton \(\varGamma _{ PE }\) is constructed incrementally, by first constructing the automata that model the basic policies that compose \( PE \), and then constructing incrementally the automata that model the subexpressions that compose \( PE \), until we obtain \(\varGamma _{ PE }\). Then we show how to use \(\varGamma _{ PE }\) to determine whether \( PE \) verifies several properties, namely adequacy, implication, and equivalence. Also, we study the problem of conflicting rules, i.e. policy rules that do not agree on whether some request must be accepted or rejected. We show that our bottom-up design supports any strategy of conflict resolution.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Acharya, H., Joshi, A., Gouda, M.: Firewall modules and modular firewalls. In: IEEE International Conference on Network Protocols (ICNP), pp. 174–182 (2010)

    Google Scholar 

  2. Acharya, H.B., Gouda, M.G.: Projection and division: linear space verification of firewalls. In: 30th IEEE International Conference on Distributed Computing Systems (ICDCS), Genova, Italy, pp. 736–743, June 2010

    Google Scholar 

  3. Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: 30th IEEE International Conference on Computer Communication (INFOCOM), Shanghai, China, pp. 2123–2128, April 2011

    Google Scholar 

  4. Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manag. 1(1), 2–10 (2004)

    Article  Google Scholar 

  5. Al-Shaer, E., Marrero, W., El-Atawy, A., Elbadawi, K.: Network configuration in a box: towards end-to-end verification of networks reachability and security. In: 17th IEEE International Conference on Network Protocols (ICNP), Princeton, NJ, USA, pp. 736–743, October 2009

    Google Scholar 

  6. Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Moataz, T., Rimasson, X.: Handling stateful firewall anomalies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 174–186. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_15

    Chapter  Google Scholar 

  7. Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09581-3_11

    Chapter  Google Scholar 

  8. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

    Article  Google Scholar 

  9. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Perez, S.M., Cabot, J.: Management of stateful firewall misconfiguration. Comput. Secur. 39, 64–85 (2013)

    Article  Google Scholar 

  10. Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), Long Beach, California, USA, pp. 96–103, November 2005

    Google Scholar 

  11. El Kalam, A.A., et al.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY), Lake Come, Italy, June 2003

    Google Scholar 

  12. Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)

    Article  Google Scholar 

  13. Karoui, K., Ftima, F.B., Ghezala, H.B.: Formal specification, verification and correction of security policies based on the decision tree approach. Int. J. Data Netw. Secur. 3(3), 92–111 (2013)

    Google Scholar 

  14. Khoumsi, A., Erradi, M., Krombi, W.: A formal basis for the design and analysis of firewall security policies. J. King Saud Univ.-Comput. Inf. Sci. 30(1), 51–66 (2018)

    Google Scholar 

  15. Khoumsi, A., Krombi, W., Erradi, M.: A formal approach to verify completeness and detect anomalies in firewall security policies. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds.) FPS 2014. LNCS, vol. 8930, pp. 221–236. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17040-4_14

    Chapter  Google Scholar 

  16. Krombi, W., Erradi, M., Khoumsi, A.: Automata-based approach to design and analyze security policies. In: International Conference on Privacy, Security and Trust (PST), Toronto, Canada, July 2014

    Google Scholar 

  17. Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines - a survey. Proc. IEEE 84, 1090–1126 (1996)

    Article  Google Scholar 

  18. Liu, A., Gouda, M.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19(9), 1237–1251 (2008)

    Article  Google Scholar 

  19. Liu, A., Gouda, M.: Complete redundancy removal for packet classifiers in TCAMs. IEEE Trans. Parallel Distrib. Syst. 21(4), 424–437 (2010)

    Article  Google Scholar 

  20. Liu, A.X., Gouda, M.G.: Structured firewall design. Comput. Netw.: Int. J. Comput. Telecommun. Netw. 51(4), 1106–1120 (2007)

    Article  Google Scholar 

  21. Madhuri, M., Rajesh, K.: Systematic detection and resolution of firewall policy anomalies. Int. J. Res. Comput. Commun. Technol. (IJRCCT) 2(12), 1387–1392 (2013)

    Google Scholar 

  22. Mallouli, W., Orset, J., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: 12th ACM Symposium on Access Control Models and Technologies (SACMAT), Sophia Antipolis, France, June 2007

    Google Scholar 

  23. Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. In: 9th International Symposium on Visualization for Cyber Security (VizSec), pp. 1–8, Seattle, WA, USA, October 2012

    Google Scholar 

  24. Mayer, A., Wool, A., Ziskind, E.: Fang: a firewall analysis engine. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 177–187, Berkeley, California, USA, May 2000

    Google Scholar 

  25. Pozo, S., Gasca, R., Reina-Quintero, A., Varela-Vaca, A.: CONFIDDENT: a model-driven consistent and non-redundant layer-3 firewall ACL design, development and maintenance framework. J. Syst. Softw. 85(2), 425–457 (2012)

    Article  Google Scholar 

  26. Reaz, R., Acharya, H.B., Elmallah, E.S., Cobb, J.A., Gouda, M.G.: Policy expressions and the bottom-up design of computing policies. In: El Abbadi, A., Garbinato, B. (eds.) NETYS 2017. LNCS, vol. 10299, pp. 151–165. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59647-1_12

    Chapter  Google Scholar 

  27. Reaz, R., Ali, M., Gouda, M.G., Heule, M.J.H., Elmallah, E.S.: The implication problem of computing policies. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 109–123. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_8

    Chapter  Google Scholar 

  28. Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)

    Article  Google Scholar 

  29. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy (S&P), Berkeley/Oakland, CA, USA, May 2006

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, University of Sherbrooke, Sherbrooke, Canada

    Ahmed Khoumsi

  2. ENSIAS, University Mohammed V in Rabat, Rabat, Morocco

    Mohammed Erradi

Authors
  1. Ahmed Khoumsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammed Erradi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Khoumsi .

Editor information

Editors and Affiliations

  1. Universität Freiburg, Freiburg, Germany

    Andreas Podelski

  2. University of Rennes 1, Rennes, France

    François Taïani

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khoumsi, A., Erradi, M. (2019). Automata-Based Bottom-Up Design of Conflict-Free Security Policies Specified as Policy Expressions. In: Podelski, A., Taïani, F. (eds) Networked Systems. NETYS 2018. Lecture Notes in Computer Science(), vol 11028. Springer, Cham. https://doi.org/10.1007/978-3-030-05529-5_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05529-5_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05528-8

  • Online ISBN: 978-3-030-05529-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation