Formal correctness of conflict detection for firewalls

Capretta, Venanzio; Stepien, Bernard; Felty, Amy P.; Matwin, Stan

doi:10.1145/1314436.1314440

Cited by 43 publications

(42 citation statements)

References 23 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main restriction is that we do not cover all of the XACML's defined functions. This work extends the second author's work (with others) [2] on detecting conflicts in Cisco firewall rules, and reports on and extends the work in the first author's thesis [8]. Conflict detection is considerably more complex in XACML.…”

Section: Introductionsupporting

confidence: 58%

“…We present Coq code for rules (2) and (3) In the first rule, for example, the second argument to ruleCons is a list of subjects obtained by concatenating two lists, and the other elements of type list srac are all singleton lists. The subset of XACML functions we consider is defined by the following inductive definition:…”

Section: Xacml Policies and Their Encoding In Coqmentioning

confidence: 99%

See 1 more Smart Citation

A verified algorithm for detecting conflicts in XACML access control rules

St-Martin

Felty

2016

Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

We describe the formalization of a correctness proof for a conflict detection algorithm for XACML (eXtensible Access Control Markup Language). XACML is a standardized declarative access control policy language that is increasingly used in industry. In practice it is common for rule sets to grow large, and contain unintended errors, often due to conflicting rules. A conflict occurs in a policy when one rule permits a request and another denies that same request. Such errors can lead to serious risks involving both allowing access to an unauthorized user as well as denying access to someone who needs it. Removing conflicts is thus an important aspect of debugging policies, and the use of a verified algorithm provides the highest assurance in a domain where security is important. In this paper, we extend our previous work on verification of conflict detection for Cisco firewall rules. We focus on several XACML constructs, the most complex of which are used for expressing time constraints. XACML is a significantly more expressive language than the one used to express firewall rules in Cisco products, and time constraints provide a good illustration of that expressive power. We propose an algorithm to find conflicts and then use the Coq Proof Assistant to prove the algorithm correct. We develop a library of tactics to help automate the proof.

show abstract

Section: Introductionsupporting

confidence: 58%

Section: Xacml Policies and Their Encoding In Coqmentioning

confidence: 99%

A verified algorithm for detecting conflicts in XACML access control rules

St-Martin

Felty

2016

Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…Capretta et al proposed a formalization of conflict detection for firewalls. They defined conflict for the rules if and only if the actions of the rules are different [13]. In such conflict detection, redundancy cannot be detected, as the redundant filters have the same action, but our system analyzes the filters with both the same and different actions, and conflicts are classified in detail.…”

Section: Related Workmentioning

confidence: 99%

“…The synthetic firewall policy (FPB) ranges in size from 100 to 1000. In this paper, like other firewall management techniques [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22], we did not consider the stateful filters for experimental evaluation. The treatment of conflict detection in stateful firewalls is a topic for future work.…”

Section: Geometrymentioning

confidence: 99%

See 1 more Smart Citation

A Topology-Based Conflict Detection System for Firewall Policies using Bit-Vector-Based Spatial Calculus

Thanasegaran¹,

Yin²,

Tateiwa³

et al. 2011

IJCNS

View full text Add to dashboard Cite

Firewalls use packet filtering to either accept or deny packets on the basis of a set of predefined rules called filters. The firewall forms the initial layer of defense and protects the network from unauthorized access. However, maintaining firewall policies is always an error prone task, because the policies are highly complex. Conflict is a misconfiguration that occurs when a packet matches two or more filters. The occurrence of conflicts in a firewall policy makes the filters either redundant or shadowed, and as a result, the network does not reflect the actual configuration of the firewall policy. Hence, it is necessary to detect conflicts to keep the filters meaningful. Even though geometry-based conflict detection provides an exhaustive method for error classification, when the number of filters and headers increases, the demands on memory and computation time increase. To solve these two issues, we make two main contributions. First, we propose a topology-based conflict detection system that computes the topological relationship of the filters to detect the conflicts. Second, we propose a systematic implementation method called BISCAL (a bit-vector-based spatial calculus) to implement the proposed system and remove irrelevant data from the conflict detection computation. We perform a mathematical analysis as well as experimental evaluations and find that the amount of data needed for topology is only one-fourth of that needed for geometry.

show abstract