20% more formulas. Verified Firewall Ruleset Verification. Now with. with Isabelle/HOL. Cornelius Diekmann

Verified Firewall Ruleset Verification with Isabelle/HOL Cornelius Diekmann Now with 20% more formulas 1

Introduction to Firewalls Chain INPUT (policy CCEPT) target prot source destination DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 CCEPT all 0.0.0.0/0 0.0.0.0/0 state RELTED,ESTBLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,5006,80,548,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,892,5353 CCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) target prot source destination RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 2

Problem there are no good high-complexity rule sets. Wool, Quantitative Study of Firewall Configuration Errors, Computer, IEEE, vol. 37, no. 6, pp. 62 67, Jun. 2004. 3

Problem there are no good high-complexity rule sets firewalls are (still) poorly configured. Wool, Quantitative Study of Firewall Configuration Errors, Computer, IEEE, vol. 37, no. 6, pp. 62 67, Jun. 2004.. Wool, Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese, Internet Computing, IEEE, vol. 14, no. 4, pp. 58 65, Jul. 2010. 3

Problem there are no good high-complexity rule sets firewalls are (still) poorly configured tools do not understand real-world firewall rules. Wool, Quantitative Study of Firewall Configuration Errors, Computer, IEEE, vol. 37, no. 6, pp. 62 67, Jun. 2004.. Wool, Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese, Internet Computing, IEEE, vol. 14, no. 4, pp. 58 65, Jul. 2010. C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification of Real-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195 212. Jun. 2015 3

Tool for Ruleset Verification Specification Documentation Implementation Code, tool Performance 4

Tool for Ruleset Verification Specification Documentation What is a correct ruleset? Implementation Code, tool Performance 4

Tool for Ruleset Verification Specification Documentation What is a correct ruleset? Goal: Spoofing protection Implementation Code, tool Performance 4

Tool for Ruleset Verification Specification Documentation What is a correct ruleset? Goal: Spoofing protection Needs: Model of iptables Implementation Code, tool Performance 4

Tool for Ruleset Verification Specification Documentation α Implementation Code, tool What is a correct ruleset? Performance Goal: Spoofing protection Needs: Model of iptables http://isabelle.in.tum.de/ 4

Tool for Ruleset Verification Specification Documentation What is a correct ruleset? Goal: Spoofing protection Needs: Model of iptables Proof α Implementation Code, tool Performance http://isabelle.in.tum.de/ 4

Match Expressions: Syntax and Semantics Syntax How to represent match expressions? datatype a mexpr = Match a Matchny MatchNot a mexpr Matchnd a mexpr a mexpr 5

Match Expressions: Syntax and Semantics Syntax How to represent match expressions? Polymorphic: arbitrary type a datatype a mexpr = Match a Matchny MatchNot a mexpr Matchnd a mexpr a mexpr 5

Match Expressions: Syntax and Semantics Syntax How to represent match expressions? Polymorphic: arbitrary type a datatype a mexpr = Match a Matchny MatchNot a mexpr Matchnd a mexpr a mexpr Recursive datatype 5

Match Expressions: Syntax and Semantics Syntax How to represent match expressions? datatype a mexpr = Match a Matchny MatchNot a mexpr Matchnd a mexpr a mexpr Example: Matchnd (Match ( DstIP 8.8.8.8 )) (Match ( Protocol TCP )) 5

Match Expressions: Syntax and Semantics Syntax How to represent match expressions? datatype a mexpr = Match a Matchny MatchNot a mexpr Matchnd a mexpr a mexpr Example: Primitive Matchnd (Match ( DstIP 8.8.8.8 )) (Match ( Protocol TCP )) 5

Match Expressions: Syntax and Semantics Semantics What do match expressions mean? matches :: ( a p B ) a mexpr p B matches γ (Match a) p γ a p matches Matchny True matches γ (MatchNot m) p matches γ m p matches γ (Matchnd m 1 m 2 ) p matches γ m 1 p matches γ m 2 p 6

Iptables Semantics: Filtering Behavior SKIP γ, p [], t t CCEPT matches γ m p γ, p [(m, ccept)],?! DROP matches γ m p γ, p [(m, Drop)],? % REJECT matches γ m p γ, p [(m, Reject)],? % NOMTCH matches γ m p γ, p DECISION [(m, a)],?? t? γ, p rs, t t SEQ γ, p rs 1,? t γ, p rs2, t t γ, p LOG rs 1 ::: rs 2,? t matches γ m p γ, p [(m, Log)],?? EMPTY matches γ m p γ, p [(m, Empty)],?? CLLRESULT matches γ m p γ, p Γ c,? t γ, p [(m, Call c)],? t CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? γ, p [(m, Call c)],?? Background ruleset Γ : chain name rule list 7

Semantics Explained γ, p rs, s t 8

Semantics Explained Packet γ, p rs, s t 8

Semantics Explained Primitive matcher Packet γ, p rs, s t 8

Semantics Explained Primitive matcher Packet γ, p rs, s t ruleset 8

Semantics Explained Primitive matcher Packet γ, p rs, s t ruleset start state (e.g.,? ) 8

Semantics Explained Primitive matcher Packet γ, p rs, s t ruleset start state (e.g.,? ) final state (e.g.,!, % ) 8

Semantics Explained: SKIP γ, p [], t t 9

Semantics Explained: SKIP Precondition γ, p [], t t 9

Semantics Explained: SKIP Precondition Conclusion γ, p [], t t 9

Semantics Explained: SKIP Precondition Conclusion γ, p [], t t no precondition Holds unconditionally 9

Semantics Explained: SKIP Precondition Conclusion γ, p [], t t no precondition Holds unconditionally IF TRUE then γ, p [], t t 9

Semantics Explained: SKIP γ, p [], t t 9

Semantics Explained: SKIP γ, p [], t t Empty Ruleset 9

Semantics Explained: SKIP γ, p [], t t Empty Ruleset Start state equals final state 9

Semantics Explained: SKIP γ, p [], t t Empty Ruleset Start state equals final state For the empty ruleset, the firewall does nothing 9

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule matches 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule matches The action of the rule is ccept rule 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule matches The action of the rule is ccept rule The firewall does not have a decision yet 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule matches The action of the rule is ccept rule The firewall does not have a decision yet It will accept the packet 10

Semantics Explained: CCEPT matches γ m p γ, p [(m, ccept)],?! Ruleset: single rule matches The action of the rule is ccept rule The firewall does not have a decision yet It will accept the packet matching ccept rule accepts packets 10

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? γ, p [(m, Call c)],?? 11

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? matches γ, p [(m, Call c)],?? 11

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? matches γ, p [(m, Call c)],?? The called chain c in the background ruleset Γ is defined as rs 1 ::: (m, Return) :: rs 2 11

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? matches γ, p [(m, Call c)],?? The called chain c in the background ruleset Γ is defined as rs 1 ::: (m, Return) :: rs 2 First part rs 1 is processed without result 11

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? matches γ, p [(m, Call c)],?? The called chain c in the background ruleset Γ is defined as rs 1 ::: (m, Return) :: rs 2 First part rs 1 is processed without result Then there is a matching Return 11

Semantics Explained: CLLRETURN matches γ m p Γ c = rs 1 ::: (m, Return) :: rs 2 matches γ m p γ, p rs 1,?? matches γ, p [(m, Call c)],?? The called chain c in the background ruleset Γ is defined as rs 1 ::: (m, Return) :: rs 2 First part rs 1 is processed without result Then there is a matching Return Calling to user-defined chain and return without result 11

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t 12

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t f :: a ruleset a ruleset 12

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t f :: a ruleset a ruleset f does not change filtering behavior of firewall 12

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t f :: a ruleset a ruleset f does not change filtering behavior of firewall Removing Log rules 12

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t f :: a ruleset a ruleset f does not change filtering behavior of firewall Removing Log rules Unfolding of user-defined chains 12

Semantics-Preserving Simplification γ, p rs, s t iff γ, p f rs, s t f :: a ruleset a ruleset f does not change filtering behavior of firewall Removing Log rules Unfolding of user-defined chains Normalizing match expressions,... 12

Embedding in Ternary Logic B = {True, False} Ternary = {True, False, Unknown} { } p approx firewall γ stricter rs =! { p γ, p rs,?! } { } p approx firewall γ permissive rs =! 13

Embedding in Ternary Logic B = {True, False} Ternary = {True, False, Unknown} { } p approx firewall γ stricter rs =! { p γ, p rs,?! } { } p approx firewall γ permissive rs =! Set of packets accepted by the firewall 13

Embedding in Ternary Logic B = {True, False} Ternary = {True, False, Unknown} { } p approx firewall γ stricter rs =! { p γ, p rs,?! } { } p approx firewall γ permissive rs =! not executable Set of packets accepted by the firewall We can specify a lot... 13

Embedding in Ternary Logic B = {True, False} Ternary = {True, False, Unknown} { } p approx firewall γ stricter rs =! { p γ, p rs,?! } { } p approx firewall γ permissive rs =! executable not executable Set of packets accepted by the firewall We can specify a lot... but we also believe in running code executable 13

Spoofing Protection ipassmt :: interface IP set Example: ipassmt = [eth0 192.168.0.0/24] Spoofing Protection: { p.src ip p.in iface = eth0 γ, p rs,?! } 192.168.0.0/24 14

Spoofing Protection ipassmt :: interface IP set Example: ipassmt = [eth0 192.168.0.0/24] Spoofing Protection: eth ipassmt.keys { p.src ip p.in iface = eth γ, p rs,?! } ipassmt.get(eth) 14

Spoofing Protection ipassmt :: interface IP set Example: ipassmt = [eth0 192.168.0.0/24] Spoofing Protection: check spoofing protection ipassmt rs eth ipassmt.keys { p.src ip p.in iface = eth γ, p rs,?! } ipassmt.get(eth) 14

Service Matrix INET INET multicast servers ip 1 S routers Partitions complete IPv4 space ll IP addresses in each group have same access rights internal localhost ip 2 Cannot be compressed any further 16

Sources Firewall Rulesets plz contribute https://github.com/diekmann/net-network Isabelle Theories + Haskell Tool: https://github.com/diekmann/iptables_semantics 17