Presentation is loading. Please wait.

Presentation is loading. Please wait.

FSL: A Flow-based Security Language Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker University of Chicago Nicira Networks Stanford.

Published byAsher Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "FSL: A Flow-based Security Language Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker University of Chicago Nicira Networks Stanford."— Presentation transcript:

1 FSL: A Flow-based Security Language Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker University of Chicago Nicira Networks Stanford University UC Berkeley

2 Local Area Networks

3 Network Policy Examples “Every wireless guest user must send HTTP requests through an HTTP proxy.” “No phone can communicate with any private computer.” “Superusers have no communication restrictions.” “Laptops cannot receive incoming connections.”

4 NOX: a Network Architecture (Ethane’s successor) Network View Network View App 1 App 2 App 3 OF Switch Wireless OF Switch NOX Controller PC Off-the-shelf hosts See [Gude2008]

5 NOX Operation

6 SECURITY POLICY

7 NOX Operation

8 FSL FSL: Flow Security Language FSL balances the desires to make expressing network policies natural and implementing policies efficient.

9 A Datalog Variant Syntax h :- b 1,…,b n,c 1,…,c m h must exist. Every variable in the body must appear in h. Nonrecursive sentence sets. Semantics –Statement order is irrelevant. –Every sentence set is satisfied by exactly one model.

10 Network Flows Keywords for constraining flow route: allow: allow the flow deny: deny the flow visit: force the flow to pass through an intermediary avoid: forbid the flow from passing through an intermediary ratelimit: limit on Mb/second User source Host source Access point source User target Host target Access point target Protocol

11 Keyword: deny “No phone can communicate with any private computer.” deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt ) private(X) :- laptop(X) private(X) :- desktop(X)

12 Keyword: visit “Every wireless guest user must send HTTP requests through a proxy.” visit(U src,H src,A src,U tgt,H tgt,A tgt,Prot,httpproxy) :- guest(U src ), wireless(A src ), Prot=http

13 Operation Given FSL policy  and flow, ask  |= deny(us,hs,as,ut,ht,at,p)  |= allow(us,hs,as,ut,ht,at,p) {X |  |= visit(us,hs,as,ut,ht,at,p,X)} {X |  |= avoid(us,hs,as,ut,ht,at,p,X)} {X |  |= ratelimit(us,hs,as,ut,ht,at,p,X)}

14 FSL Complexity Query processing is PSPACE-complete in the size of the policy for an arbitrary query. When queries are restricted to keywords, query processing takes polynomial time in the size of the policy. If the tallest possible call stack (path through the dependency graph) is 1, then query processing takes linear time in the size of the policy.

15 Compilation Example “No phone can communicate with any private computer.” deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt ) private(X) :- laptop(X) private(X) :- desktop(X)

16 Compilation Example bool deny (U src,H src,A src,U tgt,H tgt,A tgt,Prot) { return (phone(H src ) && private(H tgt )) || (private(H src ) && phone(H tgt )); } bool private(X) { return laptop(X) || desktop(X); } Assume the existence of functions for phone, laptop, desktop.

17 Deployment Experiences On a small internal network (about 50 hosts), NOX has been in use over a year, and FSL has been in use for 10 months. We are preparing for two larger deployments (of hundreds and thousands of hosts). So far, policies are expressed over just a few classes of objects. Thus, we expect policies to grow slowly with the number of principals.

18 Questions

19 [Gude2008] N. Gude, et. al. NOX: Towards an Operating System for Networks. Computer Communications Review 2008. [Hinrichs2009] T. Hinrichs, et. al. Design and Implementation of a Flow-based Security Language. Under review. Available upon request. References

20 Related Work Comparison Limitations Not using FOL, Modal logic, Linear logic No existential variables No recursion Fixed conflict resolution scheme No delegation No history/future-dependent policies Centralized enforcement Limited metalevel operations Novel language features Access control decisions are constraints. Conflict resolution produces constraint set For citations, see [Hinrichs2009].

21 Backup

22 FSL Features Logical language: Distributed policy authorship External references Conflicts, conflict detection, conflict resolution Incremental policy authorship via priorities Analyzability High Performance: 10 4 -10 5 queries/second Layered language: LogicData Keywords Conflicts Prioritization

23 Conflicts Conflicts are vital in collaborative settings because they allow administrators to express their true intentions. Authorization systems cannot enforce conflicting security policies. deny avoid visit allow ratelimit deny avoid visit allow ratelimit

24 FSL Usage Overview Combined Policy Analysis Engine Authorization System Policy 1 Policy n …

25 Conflict Resolution No conflicts: conflicts are errors. Most restrictive: choose instructions that give users the least rights. Most permissive: choose policy instructions that give users the most rights. Cancellation: a flow with conflicting constraints has no constraints.

26 Conflict Resolution as a Tool Fixing the conflict resolution mechanism allows certain policies to be expressed very simply. Example (Open Policy): allow everything not explicitly denied. allow(U src,H src,A src,U tgt,H tgt,A tgt,Prot) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt )

27 Incremental Policy Authoring To tighten a FSL policy, one needs only to add statements to it. The conflict resolution strategy ensures that the most restrictive constraints are used. To relax a FSL policy, it is therefore insufficient to simply add statements.

28 Prioritized Policies Borrow a mechanism from Cascading Style Sheets (CSS). To relax security incrementally, FSL allows one policy to be overridden by another policy. P 1 < P 2 A request constrained by P 2 is only constrained by P 2.

29 Example P 1 P 2 allow(U src,H src,A src,U tgt,H tgt,A tgt,Prot)  U src =ceo allow(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- superuser(U src ) superuser(bob) superuser(alice) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt ) private(X) :- laptop(X) private(X) :- desktop(X) visit(U src,H src,A src,U tgt,H tgt,A tgt,Prot,httpproxy) :- guest(U src ), wireless(A src ), Prot=http allow(U src,H src,A src,U tgt,H tgt,A tgt,ssh) :-  guest(U src ), server(H tgt )

30 Cascaded Policy Combination Combined Policy 1,1 Policy 1,2 Policy 1,m 1 … Policy n,1 Policy n,2 Policy n,m n … …

31 Cascaded Policy Combination Combined Policy 1 Policy n … 1.Flatten cascades. 2.Combine results.

32 Features Distributed policy authorship External references Conflict detection/resolution Incremental policy authorship via priorities Analyzability High Performance: 10 4 queries/second Layered language: LogicData Keywords Conflict Resolution Prioritization

33 Analysis Algorithms Flattened Cascade: a policy cascade expressed as a flat policy. Group Normal Form: every rule body consists only of external references (and =). Conflict Conditions: conditions on external references under which there will be a conflict. Conflict-free Normal Form: equivalent policy (under conflict resolution) without conflicts.

34 10 -5 seconds true && false 2.7 x 10 -9 function f (x y) (x && y)) f(true,false) 3.8 x 10 -8 equalp (“mary had a little lamb”, “Mary Had A Little Lamb”) 2.1 x 10 -6 samep (p(X,Y,X,a), p(Z,T,Z,a)) 6.7 x 10 -6 matchp (p(X,Y,X,a), p(b,c,b,a)) 7.3 x 10 -6 mgup (p(X,c,X,a), p(b,T,Z,a)) 1.3 x 10 -5 unifyp (p(X,c,X,a), p(b,T,Z,a)) 2.7 x 10 -5 OperationAvg. Seconds

35 Implementation Tests Flows/sMem (MB) Rule Matches 0 rules103,69900 100 rules100,94212 500 rules85,37314 1,000 rules76,336210 5,000 rules54,416930 10,000 rules46,9563852

36 Ongoing Work Currently, each flow initiation requires contacting a central controller. The route for that flow is cached at the router. Working to generalize this caching scheme. Each trip to the central controller caches more than just the route for one flow.

Download ppt "FSL: A Flow-based Security Language Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker University of Chicago Nicira Networks Stanford."

Similar presentations

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.
1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)

1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
NDN in Local Area Networks Junxiao Shi The University of Arizona 2014-09-04 1.

NDN in Local Area Networks Junxiao Shi The University of Arizona
Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.

Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
1 Efficient and Robust Streaming Provisioning in VPNs Z. Morley Mao David Johnson Oliver Spatscheck Kobus van der Merwe Jia Wang.

1 Efficient and Robust Streaming Provisioning in VPNs Z. Morley Mao David Johnson Oliver Spatscheck Kobus van der Merwe Jia Wang.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Applications of Computational Logic Tim Hinrichs University of Chicago COMPULOG Summer School July 24-27, 2008.

Applications of Computational Logic Tim Hinrichs University of Chicago COMPULOG Summer School July 24-27, 2008.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
Portland: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric Offense Kai Chen Shih-Chi Chen.

Portland: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric Offense Kai Chen Shih-Chi Chen.
Collaborative Programming Tim Hinrichs University of Chicago.

Collaborative Programming Tim Hinrichs University of Chicago.
Decentralized Information Spaces for Composition and Unification of Services (DISCUS)  Successor to OzWeb  Builds on WebServices  (Relatively) Static.

Decentralized Information Spaces for Composition and Unification of Services (DISCUS)  Successor to OzWeb  Builds on WebServices  (Relatively) Static.
C How to Program, 6/e Summary ©1992-2010 by Pearson Education, Inc. All Rights Reserved.

C How to Program, 6/e Summary © by Pearson Education, Inc. All Rights Reserved.

Similar presentations

Ads by Google