Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran, Divya; Rueda, Sandra; Talele, Nirupama; Vijayakumar, Hayawardh; Teutsch, Jason; Jaeger, Trent

doi:10.1145/2420950.2420991

Cited by 8 publications

(6 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The linear 3-cut problem also arose from one such application. Muthukumaran et al [10] and Talele et al [11] formulated the problem of placing security mediators in a distributed system as a cut problem. They modeled a distributed system as a directed graph with arcs indicating the direction of possible communication.…”

Section: Motivationsmentioning

confidence: 99%

A tight $$\sqrt{2}$$-approximation for linear 3-cut

et al. 2019

View full text Add to dashboard Cite

We investigate the approximability of the linear 3-cut problem in directed graphs, which is the simplest unsolved case of the linear k-cut problem. The input here is a directed graph D = (V, E) with node weights and three specified terminal nodes s, r, t ∈ V , and the goal is to find a minimum weight subset of non-terminal nodes whose removal ensures that s cannot reach r and t, and r cannot reach t. The problem is approximation-equivalent to the problem of blocking rooted in-and out-arborescences, and it also has applications in network coding and security. The approximability of linear 3-cut has been wide open until now: the best known lower bound under the Unique Games Conjecture (UGC) was 4/3, while the best known upper bound was 2 using a trivial algorithm. In this work we completely close this gap: we present a √ 2-approximation algorithm and show that this factor is tight assuming UGC. Our contributions are twofold: (1) we analyze a natural two-step deterministic rounding scheme through the lens of a single-step randomized rounding scheme with non-trivial distributions, and (2) we construct integrality gap instances that meet the upper bound of √ 2. Our gap instances can be viewed as a weighted graph sequence converging to a "graph limit structure".

show abstract

Section: Motivationsmentioning

confidence: 99%

A tight $$\sqrt{2}$$-approximation for linear 3-cut

et al. 2019

View full text Add to dashboard Cite

show abstract

“…These methods focus on only one layer of the system, such as the network, a single host, or a single program because the size of the graphs becomes prohibitive. A recent work that reasons about data flows in distributed systems only handles systems with tens of hosts [23]. As a result, such methods are not usable for organizations with several networks containing many hosts.…”

Section: Introductionmentioning

confidence: 99%

“…Researchers have explored methods for solving the mediator placement problem to monitor security in networks [27], hosts [23,30], and individual programs [18,13,20]. These techniques convert the operations authorized by network policies, network topology, host policies, and program code, respectively, into data flow graphs.…”

mentioning

confidence: 99%

“…Finally, individual programs also implement complex data flows. As a result, most prior methods for solving mediator placement problems only reason about one level of the system, such as the network [27], hosts [23,30], or individual programs [13,20,18]. When researchers consider all these layers, the problem was limited to a small number of machines [23].…”

mentioning

confidence: 99%

“…As a result, most prior methods for solving mediator placement problems only reason about one level of the system, such as the network [27], hosts [23,30], or individual programs [13,20,18]. When researchers consider all these layers, the problem was limited to a small number of machines [23]. Talele et al proposed a method whereby summaries of individual hosts are produced [37], yet only problems consisting of tens of hosts could be solved.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Monitor placement for large-scale systems

Talele

Teutsch

Erbacher

et al. 2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

show abstract