Finding the Dark Cloud: Static Analysis of Cloud Configurations - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Finding the Dark Cloud: Static Analysis of Cloud Configurations

Description:

Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University * A Cloud of Policies Application Author: end-user access ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 33
Provided by: ShriramKri5
Category:

less

Transcript and Presenter's Notes

Title: Finding the Dark Cloud: Static Analysis of Cloud Configurations


1
Finding the Dark CloudStatic Analysis ofCloud
Configurations
  • Shriram KrishnamurthiBrown University

1
2
A Cloud of Policies
  • Application Authorend-user access-control,
  • Datacenter Administratorfirewalls, hypervisor
    Chinese Walls,
  • Cloud-Based App Builder

3
Cloud-Based App Builder
  • Need isolation at serverand network level
  • Shenoy

4
  • and other dens of iniquity

5
(No Transcript)
6
(No Transcript)
7
int
dmz
dmz
ext
8
(No Transcript)
9
  • ACL for External firewall
  • 1 DENY if ifcfw1_dmz, ipdest in blacklist
  • 2 DENY if ifcfw1_ext, ipsrc in blacklist
  • 3 DENY if ifcfw1_dmz, portdesttelnet
  • 4 ACCEPT if ifcfw1_ext, ipdestmailserver,
    portdestsmtp, prototcp
  • 5 ACCEPT if ifcfw1_ext, ipdestwebserver,
    portdesthttp, prototcp
  • 6 ACCEPT if ifcfw1_dmz, ipdestany outside,
    portdesthttp, prototcp, ipsrcmanager
  • 7 DROP otherwise

10
(No Transcript)
11
Problem
The manager cant connect to the Web.
12
Policy Analysis
  • Using Margrave

12
13
  • When can a connection from the managers PC be
    denied if its
  • to port 80 (www)
  • over TCP
  • to any machine?

14
  • ? p . p.dstprt www ? p.proto TCP ?
  • p.ipdest ? outIPs ? p.ipsrc manager
  • Int.ACL denies p
  • ? ? p . Int.NAT translates p to p
  • ? p.dstprt p.dstprt
  • ? p.proto p.proto
  • ? p.ipdest p.ipdest
  • ? Ext.ACL denies p

15
  • p.entry-interface IntFW.int
  • p.ipsrc manager
  • p.ipdest in outIPs
  • p.srcprt any
  • p.dstprt www
  • p.proto tcp
  • p p except
  • p.entry-interface ExtFW.dmz
  • p.ipsrc fw2_static

16
  • When can a connection from the managers PC be
    denied if its
  • to port 80 (www)
  • over TCP
  • to any machine?
  • Always.

17
  • same query,but with rule-tracing enabled.
  • same response, with
  • Ints ACL accepts the packet via rule 4.
  • Ints NAT applies to the packet.
  • Ints ACL denies the post-NAT packet via rule 7.

18
(No Transcript)
19
  • ACL for External firewall
  • 1 DENY if ifcfw1_dmz, ipdest in blacklist
  • 2 DENY if ifcfw1_ext, ipsrc in blacklist
  • 3 DENY if ifcfw1_dmz, portdesttelnet
  • 4 ACCEPT if ifcfw1_ext, ipdestmailserver,
    portdestsmtp, prototcp
  • 5 ACCEPT if ifcfw1_ext, ipdestwebserver,
    portdesthttp, prototcp
  • 6 ACCEPT if ifcfw1_dmz, ipdestany outside,
    portdesthttp, prototcp, ipsrcmanagerfw2_static
  • 7 DROP otherwise

20
?
thepolicy
?
P
Does
its property?
satisfy
21
?
Can people state them? Are they good enough?
?
P
They tend to think in terms of
procedures,rather than goals Anderson
21
22
-
P
P
Help people with policy evolution study what has
changed
22
23
  • ? p . Int.ACL accepts p ?
  • ? p . Int.NAT translates p to p
  • ? p.dstprt p.dstprt
  • ? p.proto p.proto
  • ? p.ipdest p.ipdest
  • ? ((Ext.ACL denies p ?
  • Ext.ACLNew accepts p) ?
  • (Ext.ACL accepts p ?
  • Ext.ACLNew denies p))

24
Presenting Change
A function mappingrequests tochanges in outcome
Deny to Permit Permit to Deny
?
packets
25
  • p.entry-interface fw2_int
  • p.ipsrc manager
  • p.ipdest in outIPs
  • p.srcprt any
  • p.dstprt www
  • p.protocol tcp

Denied ? Permit
p.entry-interface fw2_int p.ipsrc
contractor p.ipdest in outIPs p.srcprt
any p.dstprt www p.protocol tcp
p.entry-interface fw2_int p.ipsrc
employee p.ipdest in outIPs p.srcprt
any p.dstprt www p.protocol tcp
26
Change as a First-Class Entity
  • Restrict changes to External Firewall
  • View
  • Which machines lost privileges?
  • Query
  • Confirm no machines gained privileges
  • Verification

27
Configuration checking
Refactoring testing
?
What if questions
Upgrade checking
Finding hotspots
Mutationtesting
27
28
Scope of Margrave
  • Most of XACML 1.0 and 2.0
  • Cisco IOS
  • ACL standard and extended
  • NAT static dynamic ACL-based, map-based
  • routing static and policy-based
  • limited BGP announcements and VPN endpoints
  • Amazon Access Policy Language (in SQS)
  • Hypervisor, based on sHype (IBM)
  • A Datalog-based intermediate language

29
Performance
  • Production firewall (1108 rules)
  • Change-impact
  • Time 2.5 sec
  • Space baseline 83 Mb
  • List all superfluous rules
  • Time 10 min
  • Space baseline 467 Mb

Production XACML policy Verification Time
lt10 millisec Space baseline 316
Kb Change-impact Time 2 millisec Space
baseline 16 Kb
30
Under the Hood
  • Translation into first-order logic
  • Propositionalize to BDDs and SAT
  • Bernays-Schönfinkel-Ramsey class
  • Extended to multi-sorted logic
  • Some small theories for networking
  • Aggregation to compress i. and o.
  • Rule-tracing ? EDBs and IDBs in models

31
Upcoming Work
  • More sophisticated modeling of state
  • Visualization of output
  • Generating constraints on components
  • Suggesting repairs
  • Handling numerics

32
  • Dan Dougherty WPI
  • Kathi Fisler WPI
  • Tim Nelson WPI
  • Alums
  • Leo Meyerovich Brown u.g. ? Berkeley
  • Michael Tschantz Brown u.g. ? CMU
  • http//www.margrave-tool.org/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Finding the Dark Cloud: Static Analysis of Cloud Configurations" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!