Skip to main content
SpringerLink
Log in

Policy Expressions and the Bottom-Up Design of Computing Policies

  • Conference paper
  • First Online:
Networked Systems (NETYS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10299))

Included in the following conference series:

Abstract

A policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in P, that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. In this paper, we present a generalization of policies called policy expressions. A policy expression is specified using one or more policies and the three policy operators: “not”, “and”, and “or”. We show that policy expressions can be utilized to support bottom-up methods for designing policies. We also show that each policy expression can be represented by a set of special types of policies, called slices. Finally, we present several algorithms that use the slice representation of given policy expressions to verify whether the given policy expressions satisfy logical properties such as adequacy, implication, and equivalence.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Acharya, H.B., Gouda, M.G.: Projection and division: linear-space verification of firewalls. In: Proceedings of the 30th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 736–743. IEEE (2010)

    Google Scholar 

  2. Acharya, H.B., Joshi, A., Gouda, M.G.: Firewall modules and modular firewalls. In: Proceedings of the 18th IEEE International Conference on Network Protocols (ICNP), pp. 174–182. IEEE (2010)

    Google Scholar 

  3. Acharya, H.B., Kumar, S., Wadhwa, M., Shah, A.: Rules in play: on the complexity of routing tables and firewalls. In: Proceedings of the 24th IEEE International Conference on Network Protocols (ICNP). IEEE (2016)

    Google Scholar 

  4. Elmallah, E.S., Gouda, M.G.: Hardness of firewall analysis. In: Noubir, G., Raynal, M. (eds.) NETYS 2014. LNCS, vol. 8593, pp. 153–168. Springer, Cham (2014). doi:10.1007/978-3-319-09581-3_11

    Google Scholar 

  5. Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. 51(4), 1106–1120 (2007)

    Article  MATH  Google Scholar 

  6. Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 96–103. ACM (2005)

    Google Scholar 

  7. Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)

    Article  Google Scholar 

  8. Khoumsi, A., Erradi, M., Ayache, M., Krombi, W.: An approach to resolve NP-hard problems of firewalls. In: Abdulla, P.A., Delporte-Gallet, C. (eds.) NETYS 2016. LNCS, vol. 9944, pp. 229–243. Springer, Cham (2016). doi:10.1007/978-3-319-46140-3_19

    Chapter  Google Scholar 

  9. Khoumsi, A., Krombi, W., Erradi, M.: A formal approach to verify completeness and detect anomalies in firewall security policies. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930, pp. 221–236. Springer, Cham (2015). doi:10.1007/978-3-319-17040-4_14

    Google Scholar 

  10. Krombi, W., Erradi, M., Khoumsi, A.: Automata-based approach to design and analyze security policies. In: Proceedings of the 12th Annual International Conference on Privacy, Security and Trust (PST), pp. 306–313. IEEE (2014)

    Google Scholar 

  11. Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. (TPDS) 19(9), 1237–1251 (2008)

    Article  Google Scholar 

  12. Mayer, A., Wool, A., Ziskind, E.: Fang: a firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. IEEE (2000)

    Google Scholar 

  13. Reaz, R., Acharya, H.B., Elmallah, E.S., Cobb, J.A., Gouda, M.G.: Policy expressions and the bottom-up design of computing policies. Technical report No. TR-17-01, Department of Computer Science, The Universisty of Texas at Austin (2017). https://apps.cs.utexas.edu/apps/tech-reports

  14. Reaz, R., Ali, M., Gouda, M.G., Heule, M.J.H., Elmallah, E.S.: The Implication Problem of Computing Policies. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 109–123. Springer, Cham (2015). doi:10.1007/978-3-319-21741-3_8

    Chapter  Google Scholar 

  15. Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004)

    Article  Google Scholar 

  16. Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Proceedings of the 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Texas at Austin, Austin, USA

    Rezwana Reaz, H. B. Acharya & Mohamed G. Gouda

  2. University of Alberta, Edmonton, Canada

    Ehab S. Elmallah

  3. University of Texas at Dallas, Richardson, USA

    Jorge A. Cobb

Authors
  1. Rezwana Reaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. H. B. Acharya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ehab S. Elmallah
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jorge A. Cobb
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mohamed G. Gouda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rezwana Reaz .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California, Santa Barbara, Santa Barbara, California, USA

    Amr El Abbadi

  2. Université de Lausanne, Lausanne, Switzerland

    Benoît Garbinato

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Reaz, R., Acharya, H.B., Elmallah, E.S., Cobb, J.A., Gouda, M.G. (2017). Policy Expressions and the Bottom-Up Design of Computing Policies. In: El Abbadi, A., Garbinato, B. (eds) Networked Systems. NETYS 2017. Lecture Notes in Computer Science(), vol 10299. Springer, Cham. https://doi.org/10.1007/978-3-319-59647-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59647-1_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59646-4

  • Online ISBN: 978-3-319-59647-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation