A Cut Principle for Information Flow

We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.Comment: 31 page

Reasoning techniques for analysis and refinement of policies for service management

The work described in this technical report falls under the general problem of developing methods that would allow us to engineer software systems that are reliable and would offer a certain acceptable level of quality in their operation. This report shows how the analysis and refinement of policies for Quality of Service can be carried out within logic by exploiting forms of abductive and argumentative reasoning. In particular, it provides two main contributions. The first is an extension of earlier work on the use of abductive reasoning for automatic policy refinement by exploiting the use of integrity constraints within abduction and its integration with constraint solving. This has allowed us to enhance this refinement process in various ways, e.g. supporting parameter values derivation to quantify abstract refinement to specific policies ready to be put in operation, and calculating utility values to determine optimal refined policies. The second contribution is a new approach for modelling and formulating Quality of Service policies, and more general policies for software requirements, as preference policies within logical frameworks of argumentation. This is shown to be a flexible and declarative approach to the analysis of such policies through high-level semantic queries of argumentation, demonstrated here for the particular case of network firewall policies where the logical framework of argumentation allows us to detect anomalies in the firewalls and facilitates the process of their resolution. To our knowledge this is the first time that the link between argumentation and the specification and analysis of requirement policies has been studied

Access control via belnap logic: intuitive, expressive, and analyzable policy composition

Access control to IT systems increasingly relies on the ability to compose policies. There is thus bene t in any framework for policy composition that is intuitive, formal (and so \an- alyzable" and \implementable"), expressive, independent of speci c application domains, and yet able to be extended to create domain-speci c instances. Here we develop such a framework based on Belnap logic. An access-control policy is interpreted as a four-valued predicate that maps access requests to either grant, deny, con ict, or unspeci ed { the four values of the Bel- nap bilattice. We de ne an expressive access-control policy language PBel, having composition operators based on the operators of Belnap logic. Natural orderings on policies are obtained by lifting the truth and information orderings of the Belnap bilattice. These orderings lead to a query language in which policy analyses, e.g. con ict freedom, can be speci ed. Policy analysis is supported through a reduction of the validity of policy queries to the validity of propositional formulas on predicates over access requests. We evaluate our approach through rewall policy and RBAC policy examples, and discuss domain-speci c and generic extensions of our policy language

Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

It is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for all desired policy compositions. In [5], a policy language was presented having policy combinators based on Belnap logic, a four-valued logic in which truth values correspond to policy results of grant , deny , conflict , and undefined . We show here how policies in this language can be analyzed, and study the expressiveness of the language. To support policy analysis, we define a query language in which policy analysis questions can be phrased. Queries can be translated into a fragment of first-order logic for which satisfiability and validity checks are computable by SAT solvers or BDDs. We show how policy analysis can then be carried out through model checking, validity checking, and assume-guarantee reasoning over such translated queries. We also present static analysis methods for the particular questions of whether policies contain gaps or conflicts. Finally, we establish expressiveness results showing that all data independent policies can be expressed in our policy language. © 2008 IEEE

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

Policy conflict analysis for diffserv quality of service management

Policy-based management provides the ability to (re-)configure differentiated services networks so that desired Quality of Service (QoS) goals are achieved. This requires implementing network provisioning decisions, performing admission control, and adapting bandwidth allocation to emerging traffic demands. A policy-based approach facilitates flexibility and adaptability as policies can be dynamically changed without modifying the underlying implementation. However, inconsistencies may arise in the policy specification. In this paper we provide a comprehensive set of QoS policies for managing Differentiated Services (DiffServ) networks, and classify the possible conflicts that can arise between them. We demonstrate the use of Event Calculus and formal reasoning for the analysis of both static and dynamic conflicts in a semi-automated fashion. In addition, we present a conflict analysis tool that provides network administrators with a user-friendly environment for determining and resolving potential inconsistencies. The tool has been extensively tested with large numbers of policies over a range of conflict types

Policy Algebras for Hybrid Firewalls

Firewalls are a effective means of protecting a local system or network of systems from network-based security threats. In this paper, we propose a policy algebra framework for security policy enforcement in hybrid firewalls, ones that exist both in the network and on end systems. To preserve the security semantics, the policy algebras provide a formalism to compute addition, conjunction, subtraction, and summation on rule sets; it also defines the cost and risk functions associated with policy enforcement. Policy outsourcing triggers global cost minimization. We show that our framework can easily be extended to support packet filter firewall policies. Finally, we discuss special challenges and requirements for applying the policy algebra framework to MANETs

Network Security Automation

L'abstract è presente nell'allegato / the abstract is in the attachmen