Fsl a flow based security language
Download
1 / 36

FSL: A Flow-based Security Language - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

FSL: A Flow-based Security Language. University of Chicago Nicira Networks Nicira Networks Stanford University UC Berkeley. Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker. Local Area Networks. Network Policy Examples.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' FSL: A Flow-based Security Language' - noleta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fsl a flow based security language

FSL:A Flow-based Security Language

University of Chicago

Nicira Networks

Nicira Networks

Stanford University

UC Berkeley

Tim Hinrichs

Natasha Gude

Martìn Casado

John Mitchell

Scott Shenker



Network policy examples
Network Policy Examples

“Every wireless guest user must send HTTP requests through an HTTP proxy.”

“No phone can communicate with any private computer.”

“Superusers have no communication restrictions.”

“Laptops cannot receive incoming connections.”


Nox a network architecture ethane s successor
NOX: a Network Architecture(Ethane’s successor)

App 1

NOX Controller

Network

View

App 2

App 3

PC

OF Switch

Wireless

OF Switch

OF Switch

See [Gude2008]

Off-the-shelf

hosts



Nox operation1
NOX Operation

SECURITY

POLICY



FSL

FSL: Flow Security Language

FSL balances the desires to make

expressing network policies natural and

implementing policies efficient.


A datalog variant
A Datalog Variant

Syntax

h :- b1,…,bn,c1,…,cm

  • h must exist.

  • Every variable in the body must appear in h.

  • Nonrecursive sentence sets.

    Semantics

  • Statement order is irrelevant.

  • Every sentence set is satisfied by exactly one model.


  • Network flows
    Network Flows

    Keywords for constraining flow route:

    • allow: allow the flow

    • deny: deny the flow

    • visit: force the flow to pass through an intermediary

    • avoid: forbid the flow from passing through an intermediary

    • ratelimit: limit on Mb/second

    • Protocol

    • User source

    • Host source

    • Access point source

    • User target

    • Host target

    • Access point target


    Keyword deny
    Keyword: deny

    “No phone can communicate with any private computer.”

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    phone(Hsrc) , private(Htgt)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    private(Hsrc) ,phone(Htgt)

    private(X) :-laptop(X)

    private(X) :-desktop(X)


    Keyword visit
    Keyword: visit

    “Every wireless guest user must send HTTP requests through a proxy.”

    visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-

    guest(Usrc) ,wireless(Asrc) , Prot=http


    Operation
    Operation

    Given FSL policy  and

    flow <us,hs,as,ut,ht,at,p>, ask

     |= deny(us,hs,as,ut,ht,at,p)

     |= allow(us,hs,as,ut,ht,at,p)

    {X |  |= visit(us,hs,as,ut,ht,at,p,X)}

    {X |  |= avoid(us,hs,as,ut,ht,at,p,X)}

    {X |  |= ratelimit(us,hs,as,ut,ht,at,p,X)}


    Fsl complexity
    FSL Complexity

    Query processing is PSPACE-complete in the size of the policy for an arbitrary query.

    When queries are restricted to keywords, query processing takes polynomial time in the size of the policy.

    If the tallest possible call stack (path through the dependency graph) is 1, then query processing takes linear time in the size of the policy.


    Compilation example
    Compilation Example

    “No phone can communicate with any private computer.”

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    phone(Hsrc) , private(Htgt)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    private(Hsrc) ,phone(Htgt)

    private(X) :-laptop(X)

    private(X) :-desktop(X)


    Compilation example1
    Compilation Example

    bool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) {

    return (phone(Hsrc) && private(Htgt)) ||

    (private(Hsrc) && phone(Htgt));

    }

    bool private(X) {

    return laptop(X) || desktop(X);

    }

    Assume the existence of functions for phone, laptop, desktop.


    Deployment experiences
    Deployment Experiences

    • On a small internal network (about 50 hosts), NOX has been in use over a year, and FSL has been in use for 10 months.

    • We are preparing for two larger deployments (of hundreds and thousands of hosts).

    • So far, policies are expressed over just a few classes of objects.

      Thus, we expect policies to grow slowly with the number of principals.



    References
    References

    [Gude2008] N. Gude, et. al. NOX: Towards an Operating System for Networks. Computer Communications Review 2008.

    [Hinrichs2009] T. Hinrichs, et. al. Design and Implementation of a Flow-based Security Language. Under review. Available upon request.


    Related work comparison
    Related Work Comparison

    Limitations

    • Not using FOL, Modal logic, Linear logic

    • No existential variables

    • No recursion

    • Fixed conflict resolution scheme

    • No delegation

    • No history/future-dependent policies

    • Centralized enforcement

    • Limited metalevel operations

      Novel language features

    • Access control decisions are constraints.

    • Conflict resolution produces constraint set

    For citations, see

    [Hinrichs2009].



    Fsl features
    FSL Features

    • Logical language: Distributed policy authorship

    • External references

    • Conflicts, conflict detection, conflict resolution

    • Incremental policy authorship via priorities

    • Analyzability

    • High Performance: 104-105 queries/second

      Layered language:

    Prioritization

    Conflicts

    Keywords

    Logic

    Data


    Conflicts
    Conflicts

    deny

    avoid

    visit

    allow

    ratelimit

    deny

    avoid

    visit

    allow

    ratelimit

    Conflicts are vital in collaborative settings because they allow administrators to express their true intentions.

    Authorization systems cannot enforce conflicting security policies.


    Fsl usage overview
    FSL Usage Overview

    Policy

    1

    Policy

    n

    Combined

    Policy

    Analysis

    Engine

    Authorization

    System


    Conflict resolution
    Conflict Resolution

    • No conflicts: conflicts are errors.

    • Most restrictive: choose instructions that give users the least rights.

    • Most permissive: choose policy instructions that give users the most rights.

    • Cancellation: a flow with conflicting constraints has no constraints.


    Conflict resolution as a tool
    Conflict Resolution as a Tool

    Fixing the conflict resolution mechanism allows certain policies to be expressed very simply.

    Example (Open Policy): allow everything not explicitly denied.

    allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    phone(Hsrc) ,private(Htgt)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-

    private(Hsrc) ,phone(Htgt)


    Incremental policy authoring
    Incremental Policy Authoring

    To tighten a FSL policy, one needs only to add statements to it.

    The conflict resolution strategy ensures that the most restrictive constraints are used.

    To relax a FSL policy, it is therefore insufficient to simply add statements.


    Prioritized policies
    Prioritized Policies

    Borrow a mechanism from Cascading Style Sheets (CSS).

    To relax security incrementally, FSL allows one policy to be overridden by another policy.

    P1 < P2

    A request constrained by P2 is only constrained by P2.


    Example
    Example

    P1

    P2

    allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)  Usrc=ceo

    allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- superuser(Usrc)

    superuser(bob)

    superuser(alice)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)

    deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) ,phone(Htgt)

    private(X) :- laptop(X)

    private(X) :- desktop(X)

    visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-guest(Usrc) ,wireless(Asrc) , Prot=http

    allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :- guest(Usrc) ,server(Htgt)


    Cascaded policy combination
    Cascaded Policy Combination

    Policy

    1,m1

    Policy

    n,mn

    Policy

    1,2

    Policy

    n,2

    Policy

    1,1

    Policy

    n,1

    Combined

    Policy


    Cascaded policy combination1
    Cascaded Policy Combination

    Flatten cascades.

    Combine results.

    Policy

    1

    Policy

    n

    Combined

    Policy


    Features
    Features

    • Distributed policy authorship

    • External references

    • Conflict detection/resolution

    • Incremental policy authorship via priorities

    • Analyzability

    • High Performance: 104 queries/second

      Layered language:

    Prioritization

    Conflict Resolution

    Keywords

    Logic

    Data


    Analysis algorithms
    Analysis Algorithms

    Flattened Cascade: a policy cascade expressed as a flat policy.

    Group Normal Form: every rule body consists only of external references (and =).

    Conflict Conditions: conditions on external references under which there will be a conflict.

    Conflict-free Normal Form: equivalent policy (under conflict resolution) without conflicts.


    10 5 seconds
    10-5 seconds

    Operation

    Avg. Seconds



    Ongoing work
    Ongoing Work

    Currently, each flow initiation requires contacting a central controller.

    The route for that flow is cached at the router.

    Working to generalize this caching scheme.

    Each trip to the central controller caches more than just the route for one flow.


    ad