FSL: A Flow-based Security Language - PowerPoint PPT Presentation

About This Presentation
Title:

FSL: A Flow-based Security Language

Description:

FSL: A Flow-based Security Language. Tim Hinrichs. Natasha Gude. Mart n Casado. John Mitchell ... 'No phone can communicate with any private computer. ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 37
Provided by: timh156
Category:

less

Transcript and Presenter's Notes

Title: FSL: A Flow-based Security Language


1
FSLA Flow-based Security Language
  • Tim Hinrichs
  • Natasha Gude
  • Martìn Casado
  • John Mitchell
  • Scott Shenker

University of Chicago Nicira Networks Nicira
Networks Stanford University UC Berkeley
2
Local Area Networks
3
Network Policy Examples
  • Every wireless guest user must send HTTP
    requests through an HTTP proxy.
  • No phone can communicate with any private
    computer.
  • Superusers have no communication restrictions.
  • Laptops cannot receive incoming connections.

4
NOX a Network Architecture(Ethanes successor)
App 1
NOX Controller
Network View
App 2
App 3
PC
OF Switch
Wireless OF Switch
OF Switch
See Gude2008
Off-the-shelf hosts
5
NOX Operation
6
NOX Operation
SECURITY POLICY
7
NOX Operation
8
FSL
  • FSL Flow Security Language
  • FSL balances the desires to make
  • expressing network policies natural and
  • implementing policies efficient.

9
A Datalog Variant
  • Syntax
  • h - b1,,bn,?c1,,?cm
  • h must exist.
  • Every variable in the body must appear in h.
  • Nonrecursive sentence sets.
  • Semantics
  • Statement order is irrelevant.
  • Every sentence set is satisfied by exactly one
    model.

10
Network Flows
  • Protocol
  • User source
  • Host source
  • Access point source
  • User target
  • Host target
  • Access point target
  • Keywords for constraining flow route
  • allow allow the flow
  • deny deny the flow
  • visit force the flow to pass through an
    intermediary
  • avoid forbid the flow from passing through an
    intermediary
  • ratelimit limit on Mb/second

11
Keyword deny
  • No phone can communicate with any private
    computer.
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • phone(Hsrc) , private(Htgt)
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • private(Hsrc) , phone(Htgt)
  • private(X) - laptop(X)
  • private(X) - desktop(X)

12
Keyword visit
  • Every wireless guest user must send HTTP
    requests through a proxy.
  • visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy
    ) -
  • guest(Usrc) , wireless(Asrc) , Prothttp

13
Operation
  • Given FSL policy ? and
  • flow ltus,hs,as,ut,ht,at,pgt, ask
  • ? deny(us,hs,as,ut,ht,at,p)
  • ? allow(us,hs,as,ut,ht,at,p)
  • X ? visit(us,hs,as,ut,ht,at,p,X)
  • X ? avoid(us,hs,as,ut,ht,at,p,X)
  • X ? ratelimit(us,hs,as,ut,ht,at,p,X)

14
FSL Complexity
  • Query processing is PSPACE-complete in the size
    of the policy for an arbitrary query.
  • When queries are restricted to keywords, query
    processing takes polynomial time in the size of
    the policy.
  • If the tallest possible call stack (path through
    the dependency graph) is 1, then query processing
    takes linear time in the size of the policy.

15
Compilation Example
  • No phone can communicate with any private
    computer.
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • phone(Hsrc) , private(Htgt)
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • private(Hsrc) , phone(Htgt)
  • private(X) - laptop(X)
  • private(X) - desktop(X)

16
Compilation Example
  • bool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)
  • return (phone(Hsrc) private(Htgt))
  • (private(Hsrc) phone(Htgt))
  • bool private(X)
  • return laptop(X) desktop(X)
  • Assume the existence of functions for phone,
    laptop, desktop.

17
Deployment Experiences
  • On a small internal network (about 50 hosts), NOX
    has been in use over a year, and FSL has been in
    use for 10 months.
  • We are preparing for two larger deployments (of
    hundreds and thousands of hosts).
  • So far, policies are expressed over just a few
    classes of objects.
  • Thus, we expect policies to grow slowly with the
    number of principals.

18
Questions
19
References
  • Gude2008 N. Gude, et. al. NOX Towards an
    Operating System for Networks. Computer
    Communications Review 2008.
  • Hinrichs2009 T. Hinrichs, et. al. Design and
    Implementation of a Flow-based Security Language.
    Under review. Available upon request.

20
Related Work Comparison
  • Limitations
  • Not using FOL, Modal logic, Linear logic
  • No existential variables
  • No recursion
  • Fixed conflict resolution scheme
  • No delegation
  • No history/future-dependent policies
  • Centralized enforcement
  • Limited metalevel operations
  • Novel language features
  • Access control decisions are constraints.
  • Conflict resolution produces constraint set

For citations, see Hinrichs2009.
21
Backup
22
FSL Features
  • Logical language Distributed policy authorship
  • External references
  • Conflicts, conflict detection, conflict
    resolution
  • Incremental policy authorship via priorities
  • Analyzability
  • High Performance 104-105 queries/second
  • Layered language

Prioritization
Conflicts
Keywords
Logic
Data
23
Conflicts
  • Conflicts are vital in collaborative settings
    because they allow administrators to express
    their true intentions.
  • Authorization systems cannot enforce conflicting
    security policies.

24
FSL Usage Overview
Policy 1
Policy n

Combined Policy
Analysis Engine
Authorization System
25
Conflict Resolution
  • No conflicts conflicts are errors.
  • Most restrictive choose instructions that give
    users the least rights.
  • Most permissive choose policy instructions that
    give users the most rights.
  • Cancellation a flow with conflicting constraints
    has no constraints.

26
Conflict Resolution as a Tool
  • Fixing the conflict resolution mechanism allows
    certain policies to be expressed very simply.
  • Example (Open Policy) allow everything not
    explicitly denied.
  • allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • phone(Hsrc) , private(Htgt)
  • deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
  • private(Hsrc) , phone(Htgt)

27
Incremental Policy Authoring
  • To tighten a FSL policy, one needs only to add
    statements to it.
  • The conflict resolution strategy ensures that the
    most restrictive constraints are used.
  • To relax a FSL policy, it is therefore
    insufficient to simply add statements.

28
Prioritized Policies
  • Borrow a mechanism from Cascading Style Sheets
    (CSS).
  • To relax security incrementally, FSL allows one
    policy to be overridden by another policy.
  • P1 lt P2
  • A request constrained by P2 is only constrained
    by P2.

29
Example
  • P1
  • P2
  • allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) ?
    Usrcceo

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
superuser(Usrc) superuser(bob) superuser(alice) de
ny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
phone(Hsrc) , private(Htgt) deny(Usrc,Hsrc,Asrc,Ut
gt,Htgt,Atgt,Prot) - private(Hsrc) ,
phone(Htgt) private(X) - laptop(X) private(X) -
desktop(X) visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Pro
t,httpproxy) - guest(Usrc) , wireless(Asrc) ,
Prothttp allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh)
- ?guest(Usrc) , server(Htgt)
30
Cascaded Policy Combination
Policy 1,m1
Policy n,mn


Policy 1,2
Policy n,2

Policy 1,1
Policy n,1
Combined Policy
31
Cascaded Policy Combination
  1. Flatten cascades.
  2. Combine results.

Policy 1
Policy n

Combined Policy
32
Features
  • Distributed policy authorship
  • External references
  • Conflict detection/resolution
  • Incremental policy authorship via priorities
  • Analyzability
  • High Performance 104 queries/second
  • Layered language

Prioritization
Conflict Resolution
Keywords
Logic
Data
33
Analysis Algorithms
  • Flattened Cascade a policy cascade expressed as
    a flat policy.
  • Group Normal Form every rule body consists only
    of external references (and ).
  • Conflict Conditions conditions on external
    references under which there will be a conflict.
  • Conflict-free Normal Form equivalent policy
    (under conflict resolution) without conflicts.

34
10-5 seconds
Operation
Avg. Seconds
true false 2.7 x 10-9
function f (x y) (x y)) f(true,false) 3.8 x 10-8
equalp (mary had a little lamb, Mary Had A Little Lamb) 2.1 x 10-6
samep (p(X,Y,X,a), p(Z,T,Z,a)) 6.7 x 10-6
matchp (p(X,Y,X,a), p(b,c,b,a)) 7.3 x 10-6
mgup (p(X,c,X,a), p(b,T,Z,a)) 1.3 x 10-5
unifyp (p(X,c,X,a), p(b,T,Z,a)) 2.7 x 10-5
35
Implementation Tests
Flows/s Mem (MB) Rule Matches
0 rules 103,699 0 0
100 rules 100,942 1 2
500 rules 85,373 1 4
1,000 rules 76,336 2 10
5,000 rules 54,416 9 30
10,000 rules 46,956 38 52
36
Ongoing Work
  • Currently, each flow initiation requires
    contacting a central controller.
  • The route for that flow is cached at the router.
  • Working to generalize this caching scheme.
  • Each trip to the central controller caches more
    than just the route for one flow.
Write a Comment
User Comments (0)
About PowerShow.com