Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Authors

  • Nicolas Schnepf University of Lorraine, LORIA, INRIA
  • Remi Badonnel University of Lorraine, LORIA, INRIA
  • Abdelkader Lahmadi University of Lorraine, LORIA, INRIA
  • Stephan Merz INRIA, LORIA

DOI:

https://doi.org/10.14279/tuj.eceasst.76.1075

Abstract

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.
These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.

Downloads

Additional Files

Published

2019-05-14

How to Cite

[1]
N. Schnepf, R. Badonnel, A. Lahmadi, and S. Merz, “Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks”, eceasst, vol. 76, May 2019.

Issue

Vol. 76 (2019): Automated Verification of Critical Systems 2018 (AVoCS 2018)

Section

Articles

License

Copyright (c) 2019 Electronic Communications of the EASST

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.