Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Nicolas Schnepf 1, 2, 3 Remi Badonnel 1, 3 Abdelkader Lahmadi 1, 3 Stephan Merz 2, 3
1 MADYNES - Management of dynamic networks and services
LORIA - NSS - Department of Networks, Systems and Services, Inria Nancy - Grand Est
2 VERIDIS - Modeling and Verification of Distributed Algorithms and Systems
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
3 RESIST - Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
Abstract : Software-defined networks (SDN) offer a high degree of pro-grammability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.
Type de document :
Communication dans un congrès
AVOCS 2018 - 18th International Workshop on Automated Verification of Critical Systems, Jul 2018, Oxford, United Kingdom. 2018, Proceedings of the International Workshop on Automated Verification of Critical Systems
Liste complète des métadonnées

https://hal.archives-ouvertes.fr/hal-01892423
Contributeur : Rémi Badonnel <>
Soumis le : vendredi 7 décembre 2018 - 14:59:27
Dernière modification le : jeudi 7 février 2019 - 17:34:52

Fichier

main.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01892423, version 1

Citation

Nicolas Schnepf, Remi Badonnel, Abdelkader Lahmadi, Stephan Merz. Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks. AVOCS 2018 - 18th International Workshop on Automated Verification of Critical Systems, Jul 2018, Oxford, United Kingdom. 2018, Proceedings of the International Workshop on Automated Verification of Critical Systems. 〈hal-01892423〉

Partager

Métriques

Consultations de la notice

141

Téléchargements de fichiers

19