Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Nicolas Schnepf 1, 2, 3 Remi Badonnel 1, 3 Abdelkader Lahmadi 1, 3 Stephan Merz 2, 3
1 MADYNES - Management of dynamic networks and services
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
2 VERIDIS - Modeling and Verification of Distributed Algorithms and Systems
MPII - Max-Planck-Institut für Informatik, Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
3 RESIST - Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
Abstract : Software-defined networks (SDN) offer a high degree of pro-grammability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.
Document type :
Conference papers
Liste complète des métadonnées

https://hal.archives-ouvertes.fr/hal-01892423
Contributor : Rémi Badonnel <>
Submitted on : Friday, December 7, 2018 - 2:59:27 PM
Last modification on : Tuesday, February 19, 2019 - 3:40:04 PM
Document(s) archivé(s) le : Friday, March 8, 2019 - 3:04:30 PM

File

main.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01892423, version 1

Citation

Nicolas Schnepf, Remi Badonnel, Abdelkader Lahmadi, Stephan Merz. Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks. AVOCS 2018 - 18th International Workshop on Automated Verification of Critical Systems, Jul 2018, Oxford, United Kingdom. ⟨hal-01892423⟩

Share

Metrics

Record views

190

Files downloads

33