Verification of Computing Policies and Other Hard Problems

Transcription

1 Verification of Computing Policies and Other Hard Problems Mohamed G Gouda University of Texas at Austin gouda@cs.utexas.edu Presentation at METIS

2 Computing Policy A computing policy is a formalism that can be used to specify: A firewall policy in the Internet A routing policy in the Internet An access control policy in an operating or database system In this presentation: Use the term firewall to mean a computing policy Use the term packet to mean a request 2

3 In this Presentation We outline a theory of the logical analysis of firewalls This theory consists of three parts: Describe an efficient method for verifying whether any given firewall satisfies any give property Show that the two problems of firewall verification and firewall redundancy checking are equivalent Show that every problem related to the logical analysis of firewalls, including verification and redundancy checking, is NP- hard 3

4 Projection and Division: Linear-Space Verification of Firewalls H. B. Acharya, M. G. Gouda University of Texas at Austin {acharya, ICDCS

5 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted In this paper, we discuss: How to specify firewalls How to specify firewall properties How to verify that a firewall satisfies its properties We show that the presented verification algorithm requires linear (in the size of the verified firewall) space 5

6 Fields Header of a packet has fields: x, y,. The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) 6

7 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision of the first rule that the packet matches. F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 7

8 P is of form: A Discard Property P x in [ax, bx] Λ y in [ay, by] discard P specifies a set of packets that should be discarded by firewall For example, the discard property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded. 8

9 Satisfiability A firewall F satisfies a discard property P iff F discards every packet that matches predicate of P For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies property x in [1, 2] Λ y in [5, 5] discard 9

10 Firewall Verification Problem Design an algorithm that takes a firewall F and a discard property P and determines whether F satisfies P 10

11 Complexity of Verification Algorithms F has d fields and n rules where d = 5 and n = 2,000 [Liu and Gouda 2004, 2007], [Al-Shaer 2007]: Time and space are O(n d ) [Acharya and Gouda 2009]: Probabilistic Verification Time and space are O(nd) [Acharya and Gouda 2010]: Deterministic Verification Time is O(n d+1 ), space is O(nd) 11

12 Overview of our New Algorithm If every Y i is (AS i accepts no packets) then F satisfies P else F does not satisfy P 12

13 Projection Firewall F: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept Property P: x in [0, 5] Λ y in [6, 8] discard Projection F/P: x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [0, 5] Λ y in [6, 8] accept 13

14 Theorem 1 A firewall F satisfies a discard property P iff the projection F/P accepts no packet 14

15 If you are Lucky, If first rule in F/P is accept then F does not satisfy P skip rest of algorithm If all rules in F/P are discard then F satisfies P skip rest of algorithm Otherwise, you are not lucky and you need to execute the rest of the algorithm to check whether F/P accepts no packet 15

16 Division Let F be a firewall and P be a discard property The firewall F/P can be divided into k small firewalls called accept slices of F/P and denoted: AS 1,, As k Each accept slice AS i consists of the i-th accept rule ar in F/P, preceded by all the discard rules that precede ar in F/P 16

17 Division Example F/P: AS 1 : AS 2 : x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [0, 5] Λ y in [6, 8] accept x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [1, 5] Λ y in [6, 7] discard x in [0, 5] Λ y in [6, 8] accept 17

18 Theorem 2 Let F be a firewall and P be a discard property The firewall F/P accepts no packet iff none of the accept slices of F/P accepts a packet 18

19 Reduction of AS i If the accept rule ar is covered by a discard rule in AS i Then remove ar from AS i. Now AS i accepts no packets and there is no need to probe AS i further Example AS 1 : x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept Thus AS 1 accepts no packets 19

20 Probing of AS i AS 2 : x in [1, 5] Λ y in [6, 7] discard x in [0, 5] Λ y in [6, 8] accept Compute sets Sx and Sy from AS 2 : Sx = {0, 6}, Sy = {6, 8} Compute all probe packets in Sx X Sy (0, 6), (0, 8), (6, 6), (6, 8) Check whether AS 2 accepts any of these probe packets AS 2 accepts (0, 6), and we conclude that F does not satisfy P. 20

21 Experiment Results I 21

22 Experiment Results II 22

23 Concluding Remarks Complexity of this algorithm Time is O(n d+1 ) Space is O(nd) This complexity is the best that can be achieved as discussed later Three elegant ideas: projection, division, probing can be used in other algorithms to analyze firewalls 23

24 Firewall Verification and Redundancy Checking Are Equivalent H. B. Acharya, M. G. Gouda University of Texas at Austin {acharya, INFOCOM

25 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted Two problems related to analysis of firewalls: Verification Redundancy Checking These two problems were thought to be independent But we show that they are equivalent: Any algorithm that solves either problem with some complexity can solve the other with same complexity 25

26 Fields Header of a packet has fields: x, y, The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) or (0, 6) 26

27 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision of the first rule that the packet matches F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 27

28 Property r is of form: Property r x in [ax, bx] Λ y in [ay, by] discard (or accept) r specifies a set of packets that should be discarded (or accepted) by the firewall For example, the property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded. 28

29 Satisfiability Firewall F satisfies a discard (or accept) property r iff F discards (or accepts) every packet that matches predicate of r For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies property x in [1, 2] Λ y in [5, 5] discard 29

30 Firewall Verification Problem Design an algorithm that takes as input firewall F and property r and determines whether F satisfies r 30

31 Complexity of Verification Algorithms F has d fields and n rules, usually d = 5 and n = 2,000 [Liu and Gouda 2004, 2007], [Al-Shaer 2007]: Time and space are O((2n) d ) [Acharya and Gouda 2009]: Probabilistic Verification Time and space are O(nd) [Acharya and Gouda 2010]: Deterministic Verification Time is O(n d+1 ), space is O(nd) 31

32 Firewall Equivalence Two firewalls F and F are equivalent iff they accept the same set of packets and discard the same set of packets For example, firewall F: x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept and firewall F : x in [1, 3] Λ y in [3, 7] discard x in [2, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept are equivalent 32

33 Redundant Rules A rule r in a firewall F is redundant iff the two firewalls F and F-r are equivalent, where F-rl is firewall F after removing rule rl from it. For example the first rule in the following firewall is redundant: x in [7, 8] Λ y in [9, 9] accept x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept 33

34 Firewall Redundancy Checking Problem Design an algorithm that takes as input firewall F and rule r in F and determines whether r is redundant in F 34

35 Our Main Result The two problems Firewall Verification Firewall Redundancy Checking are equivalent: Any algorithm that solves either problem with some complexity can solve the other problem with the same complexity Use our 2010 firewall verification algorithm, whose time is O(n d+1 ) & space is O(nd), to solve both problems 35

36 Using Verification in Redundancy Checking Complexity of the redundancy checking part is not higher than that of the verification part 36

37 Using Redundancy Checking in Verification Complexity of the verification part is not higher than that of the redundancy checking part 37

38 Conjecture The firewall verification problem and the redundancy checking problem can both be generalized We believe that the two generalized problems are also equivalent But we have not yet worked out the details 38

39 Concluding Remarks Only one of two problems, firewall verification and firewall redundancy checking, needs to remain as an intellectual challenge We suggest that this problem be the firewall verification problem since we have an excellent solution for it [Acharya and Gouda in ICDCS 2010] Any progress that is made in solving the firewall verification problem can be mirrored in solving the other problem 39

40 Hardness of Firewall Analysis E. S. Elmallah (1) and M. G. Gouda (2) (1) University of Alberta (2) University of Texas at Austin NETYS

41 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted In this paper: Discuss how to specify firewalls and their properties Identify 13 problems related to firewall analysis Show that these problems are all NP-hard 41

42 Fields Header of a packet has fields: x, y,. The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) or (0, 6) 42

43 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision, discard or accept, of the first rule whose predicate matches the packet F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 43

44 A Discard or Accept Property P of F A discard P is of the form: x in [ax, bx] Λ y in [ay, by] discard P specifies set of packets that should be discarded by firewall F An accept P is of the form: x in [ax, bx] Λ y in [ay, by] accept P specifies set of packets that should be discarded by firewall F For example, the discard property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded by F 44

45 Satisfiability Firewall F satisfies a discard property P iff F discards every packet that matches the predicate of P Firewall F satisfies an accept property P iff F accepts every packet that matches the predicate of P For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies discard property x in [1, 2] Λ y in [5, 5] discard 45

46 Slice-Probing-Discard Discard Slice: <predicate 1> <predicate.(n-1)> <ALL predicate> --> accept --> accept --> discard Problem: Design an algorithm that determines for any discard slice S whether S discards one packet This problem is NP-hard by (polynomial) translation from the NP-hard problem of 3-SAT 46

47 Slice-Probing-Accept Accept Slice: <predicate 1> <predicate.(n-1)> <ALL predicate> --> discard --> discard --> accept Problem: Design an algorithm that determines for any accept slice S whether S accepts a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (Replace each discard by accept and vice versa.) 47

48 Firewall-Adequacy-Discard Problem: Design an algorithm that determines for any firewall F whether F discards a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (View the discard slice as a firewall.) 48

49 Firewall-Adequacy-Accept Problem: Design an algorithm that determines for any firewall F whether F accepts a packet This problem is NP-hard by translation from the NP-hard problem of Firewall-Adequacy-Discard. (Replace each discard by accept and vice versa.) 49

50 Firewall-Completeness Problem: Design an algorithm that determines for any firewall F whether F ignores (i.e. neither discards nor accepts) a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (View the discard slice minus its last rule as a firewall.) 50

51 Firewall-Verification-Discard Problem: Design an algorithm that determines for any firewall F and any discard property pp whether F satisfies pp This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Accept. (View the accept slice as a firewall and view the ALL discard property as a discard property.) 51

52 Firewall-Verification-Accept Problem: Design an algorithm that determines for any firewall F and any accept property pp whether F satisfies pp This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (Replace each discard by accept and vice versa.) 52

53 Firewall-Implication-Discard Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether every packet that is discarded by F1 is discarded by F2 This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (View the firewall and the discard property as two firewalls.) 53

54 Firewall-Implication-Accept Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether every packet that is accepted by F1 is accepted by F2 This problem is NP-hard by translation from the NP-hard problem of Firewall-Implication-Discard. (Replace each discard by accept and vice versa.) 54

55 Firewall-Redundancy-Discard Problem: Design an algorithm that determines for any firewall F and any discard rule dr in F whether the two firewalls F and F-{dr} discard the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (View the discard property as a discard rule and place it at the top of the firewall.) 55

56 Firewall-Redundancy-Accept Problem: Design an algorithm that determines for any firewall F and any accept rule ar in F whether the two firewalls F and F-{ar} accept the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Redundancy-Discard. (Replace each discard by accept and vice versa.) 56

57 Firewall-Equivalence-Discard Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether F1 and F2 discard the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Redundancy-Discard. (View the firewall and the firewall minus the discard rule as two firewalls.) 57

58 Firewall-Equivalence-Accept Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether F1 and F2 accept the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Equivalence-Discard. (Replace each discard by accept and vice versa.) 58

59 Where We Go from Here Use SAT-Solvers Adopt Integer Fields Accept Probabilistic Solutions 59