Assessing network authorization policies via reachability analysis

Basile, Cataldo; Canavese, Daniele; Pitscheider, Christian; Lioy, Antonio; Valenza, Fulvio

doi:10.1016/j.compeleceng.2017.02.019

Cited by 14 publications

(8 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Policy analysis mainly deals with policy evaluation and anomaly analysis: checking for errors like incorrect policy specifications, conflicts and sub-optimizations affecting either a single policy or a set of policies [3] being the primary research topic. Works in this area use different techniques to achieve this goal, such as model checking [17], [18], binary decision diagrams [19], graph theory [20], Deterministic Finite State Automata (DFSA) [21], First Order Logic (FOL) [22], geometrical models [23], answer set programming [24], petri nets [25] and metagraphs [15]. Policy evaluation instead deals with checking whether a request is satisfied by a set of policies.…”

Section: Introductionmentioning

confidence: 99%

Verification of Cloud Security Policies

Miller

Mérindol

Gallais³

et al. 2021

2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR)

View full text Add to dashboard Cite

Companies like Netflix increasingly use the cloud to deploy their business processes. Those processes often involve partnerships with other companies, and can be modeled as workflows where the owner of the data at risk interacts with contractors to realize a sequence of tasks on the data to be secured.In practice, access control is an essential building block to deploy these secured workflows. This component is generally managed by administrators using high-level policies meant to represent the requirements and restrictions put on the workflow. Handling access control with a high-level scheme comes with the benefit of separating the problem of specification, i.e. defining the desired behavior of the system, from the problem of implementation, i.e. enforcing this desired behavior. However, translating such high-level policies into a deployed implementation can be error-prone.Even though semi-automatic and automatic tools have been proposed to assist this translation, policy verification remains highly challenging in practice. In this paper, our aim is to define and propose structures assisting the checking and correction of potential errors introduced on the ground due to a faulty translation or corrupted deployments. In particular, we investigate structures with formal foundations able to naturally model policies. Metagraphs, a generalized graph theoretic structure, fulfill those requirements: their usage enables to compare high-level policies to their implementation. In practice, we consider Rego, a language used by companies like Netflix and Plex for their release process, as a valuable representative of most common policy languages. We propose a suite of tools transforming and checking policies as metagraphs, and use them in a global framework to show how policy verification can be achieved with such structures. Finally, we evaluate the performance of our verification method.

show abstract

Section: Introductionmentioning

confidence: 99%

Verification of Cloud Security Policies

Miller

Mérindol

Gallais³

et al. 2021

2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR)

View full text Add to dashboard Cite

show abstract

“…A recent work which, with respect to all the others, specifically targets NFV-based networks is [16], [17]. The proposed approach is the first step toward a security policy aware NFV management, with the introduction of a specific module, called Security Awareness Manager (SAM), into frameworks which provide NFV MANO, such as OpenMANO.…”

Section: Related Workmentioning

confidence: 99%

Introducing programmability and automation in the synthesis of virtual firewall rules

Bringhenti

Marchetto

Sisto

et al. 2020

2020 6th IEEE Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

The rise of new forms of cyber-threats is mostly due to the extensive use of virtualization paradigms and the increasing adoption of automation in the software life-cycle. To address these challenges we propose an innovative framework that leverages the intrinsic programmability of the cloud and software-defined infrastructures to improve the effectiveness and efficiency of reaction mechanisms. In this paper, we present our contributions with a demonstrative use case in the context of Kubernetes. By means of this framework, developers of cybersecurity appliances will not have any more to care about how to react to events or to struggle to define any possible security tasks at design time. In addition, automatic firewall ruleset generation provided by our framework will mostly avoid human intervention, hence decreasing the time to carry out them and the likelihood of errors. We focus our discussions on technical challenges: definition of common actions at the policy level and their translation into configurations for the heterogeneous set of security functions by means of a use case.

show abstract

“…The existing verification methods can be divided into two groups according to their ability to model stateful functions. The former group focuses on modeling the forwarding behavior of stateless devices(e.g., switches and routers [12], ACL (Access Control List) Firewall [13], simple loadbalancer [14]); by this we mean that the behavior is not modified until the control plane explicitly changes the configuration and there is no record of previous interactions. The latter group also considers the devices that are dynamic, in which every packet that the network device receives may alter the internal state, and the output is dependent on the sequence of previously encountered packets.…”

Section: B Support Of Stateless and Stateful Functionsmentioning

confidence: 99%

A Framework for Verification-Oriented User-Friendly Network Function Modeling

et al. 2019

Self Cite

View full text Add to dashboard Cite

Network virtualization and softwarization will serve as a new way to implement new services, increases network functionality and flexibility. However, the increasing complexity of the services and the management of very large scale environments drastically complicate detecting alerts and configuration errors of the network components. Nowadays, misconfigurations can be identified using formal analysis of network components for compliance with network requirements. Unfortunately, formal specification of network services requires familiarity with discrete mathematical modeling languages of verification tools, which requires extensive training for network engineers to have the essential knowledge. This paper addresses the above-mentioned problem by presenting a framework designed for automatically extracting verification models starting from an abstract representation of a given network function. Using guidelines provided in this paper, vendors can describe the forwarding behavior of their network function in developer-friendly, high-level languages, which can be then translated into formal verification models of different verification tools. INDEX TERMSNetwork function modeling, model extraction, NFV.

show abstract

Assessing network authorization policies via reachability analysis

Cited by 14 publications

References 25 publications

Verification of Cloud Security Policies

Verification of Cloud Security Policies

Introducing programmability and automation in the synthesis of virtual firewall rules

A Framework for Verification-Oriented User-Friendly Network Function Modeling

Contact Info

Product

Resources

About