International audienceSoftware-defined networking offers new opportunities for protecting end users by designing dynamic security policies. In particular, security chains can be built by combining security functions, such as firewalls, intrusion detection systems and services for preventing data leakage. The configuration of these security functions and their associated policies is based on behavioural models of end-user applications when accessing the network. In this demo, we present our tool Synaptic, a SDN-based framework intended for the formal verification of security policies as well as for automatically generating such policies based on automata learning methods applied on NetFlow records of end-user applications collected at the device level

Badonnel, Rémi

Lahmadi, Abdelkader

Merz, Stephan

Schnepf, Nicolas

INRIA a CCSD electronic archive server

HAL Id: hal-01892397https://hal.archives-ouvertes.fr/hal-01892397Submitted on 7 Dec 2018HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.Synaptic: A formal checker for SDN-based securitypoliciesNicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan MerzTo cite this version:Nicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan Merz. Synaptic: A formal checkerfor SDN-based security policies. NOMS 2018 - IEEE/IFIP Network Operations and ManagementSymposium, Apr 2018, Taipei, Taiwan. ￿10.1109/NOMS.2018.8406122￿. ￿hal-01892397￿Synaptic: a Formal Checker for SDN-basedSecurity PoliciesNicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, and Stephan MerzUniversité de Lorraine, CNRS, Inria, LORIA, Nancy, FranceABSTRACTSoftware-defined networking offers new opportunities forprotecting end users by designing dynamic security policies.In particular, security chains can be built by combining se-curity functions, such as firewalls, intrusion detection systemsand services for preventing data leakage. The configurationof these security functions and their associated policies isbased on behavioural models of end-user applications whenaccessing the network. In this demo, we present our toolSynaptic, a SDN-based framework intended for the formalverification of security policies as well as for automaticallygenerating such policies based on automata learning methodsapplied on NetFlow records of end-user applications collectedat the device level.I. BACKGROUNDThe programmability that characterizes SDN [1] simplifiesthe specification of network policies by decoupling the controland the data planes. Based on this paradigm, it is possibleto enforce chains of security functions, such as describedin [2] for protecting end users. Such chains are composedof security functions, such as intrusion detection systems,firewalls or data leakage prevention mechanisms, combinedin sequence or in parallel. However, due to their complexityand dynamics, these chains of security functions may giverise to misconfigurations in the network. Formal methodsprovide techniques that can help the validation of securitychains before they are deployed. Formal verification of SDNpolicies is an important topic in the literature [3], [4]. Currentapproaches focus mostly on the verification of the data plane,and miss aspects related to the control plane. Nevertheless,the Pyretic language [5], part of the Frenetic framework [6],provides an intuitive way for specifying SDN security policies,and verification facilities are provided for the control plane,through its Kinetic extension [7].II. SYNAPTIC: GENERATING AND CHECKING POLICIESSynaptic combines two functionalities. First, it providestechniques for verifying both the control and data planes re-lated to security chains, as described in [8]. These chains cor-respond to security policies combining security functions usingsoftware-defined networking. Second, it includes a componentfor profiling applications based on logs of their behavior,and for configuring SDN security policies from the inferredprofiles. We developed the prototype using Python 2.7, asan extension of Pyretic and Kinetic. The interactions amongthe different components of Synaptic for the verification of apolicy is depicted in Fig. 1. The input received by our checkeris a security policy specified in Pyretic together with severallogical properties. This input is then translated into either aSMTlib model that can be verified by SMT solving, or into anuXmv model that can be verified by model checking. If thebehavior of this policy is controlled by a Kinetic automaton,Synaptic will use the verification procedure implemented bythis framework, then verify the correctness of each data planepolicy used by this control automaton. Otherwise, Synapticwill directly verify the data plane policy that it receives.Concerning the possibilities in terms of formal verification,we integrated the following SMT solvers: CVC4 [9] v1.4 andveriT [10] v201506. We also included the nuXmv [11] v1.0.1model checker, as a backend of our tool.Figure 1. The verification steps of a SDN-based security policy.While the checker accepts arbitrary (such as hand-written)security policies expressed in Pyretic, we also support theirautomatic generation based on automata learning [12]. Synap-tic includes a component for learning a Markovian modelthat captures the networking behavior of an application andfor deriving a corresponding security policy in Pyretic. Thisgeneration process is divided into four phases depicted inFig. 2: NetFlow acquisition, NetFlow aggregation, automatalearning and rule generation. NetFlow records are collecteddirectly on the end-user device by a dedicated probe, suchas Flowoid [13] developed in our research team or fromavailable datasets. Collected NetFlows are transmitted to theaggregation module deployed in the cloud: it will aggregateNetFlows based on the responses of whois requests for theIP addresses and on the ranges of ports contained in thetraces. From the aggregated NetFlows, the automaton learningmodule will infer a Markov chain summarizing the behaviorof the application: to do so, we create a state for each pair ofnetname/port range and we compute the probability of eachFigure 2. Generation and verification of SDN-based security policies based on application profiling.outgoing transition. Finally, this automaton is provided to therule generation module that will generate a Kinetic automatonmatching the behavior of the application.III. THE DEMONSTRATIONIn this demo, we will present both the verification andthe process learning features of Synaptic. The verificationfeature will be illustrated with several examples, includingthe verification of a Kinetic based control automaton or theverification of a stateless firewall. For each of these examples,we will show (1) the policy that input to Synaptic, (2) theproperties to be verified, and (3) the verification optionsoffered by Synaptic. We will exhibit correct and erroneouspolicies, show the corresponding responses of our checker,and provide timing information. For the automata learningfeature, we collected traces of different applications. For eachof them, we will show how Synaptic can be used for learninga probabilistic model of their networking behavior, and howthis can be used to synthesize and then verify a securitychain. Through these different examples, we will show howthe complexity of NetFlow records influences the automataproduced by Synaptic and the response time of the subsequentverification procedure. We will also show how to configurethe aggregation module in order to reduce this complexity asmuch as possible. Finally, we will illustrate how automata canbe stored in external files in order to be processed by otherservices: an example of such an automaton appears in Fig. 3.Figure 3. Automaton describing the behavior of the Dropbox application.REFERENCES[1] N. Feamster and H. Kim, “Software-Defined Networks: ImprovingNetwork Management with SDN,” in IEEE Communications Magazine,February 2013.[2] G. Hurel, R. Badonnel, A. Lahmadi, and O. Festor, “Towards CloudBased Compositions of Security Functions for Mobile Devices,” inIFIP/IEEE International Symposium on Integrated Network Manage-ment (IM’15), 2015.[3] E. Al-Shaer and S. Al-Haj, “FlowChecker, Configuration Analysis andVerification of Federated OpenFlow Infrastructures,” in Proceedings ofthe 3rd ACM Workshop on Assurable and Usable Security Configuration(CCS’10), 2010.[4] T. Ball, N. Bjørner, A. Gember, S. Itzhaky, A. Karbyshev, M. Sagiv,M. Schapira, and A. Valadarsky, “Vericon: Towards Verifying ControllerPrograms in Software-Defined Networks,” in Proc. 35th ACM SIGPLANIntl. Conf. Programming Language Design (PLDI’14), Edinburgh, UK,2014, pp. 282–293.[5] N. Foster, M. J. Freedman, A. Guha, R. Harrison, N. P. Kata, C. Mon-santo, J. Reich, M. Reitblatt, R. Jennifer, C. Schlesinger, A. Story, andD. Walker, “Languages for Software-Defined Networks,” in SoftwareTechnology Group, 2016.[6] N. Foster, M. J. Freedman, R. Harrison, C. Monsanto, and D. Walker,“Frenetic, a Network Programming Language,” in Proceedings of the16th ACM SIGPLAN International Conference on Functional Program-ming (ICFP’11), 2011.[7] H. Kim, J. Reich, A. Gupta, M. Shahbaz, N. Feamster, and R. Clark,“Kinetic: Verifiable Dynamic Network Control,” in Proceedings of the12th USENIX Conference on Networked Systems Design and Implemen-tation (NSDI’15), 2015.[8] N. Schnepf, S. Merz, R. Badonnel, and A. Lahmadi, “Automated veri-fication of security chains in software-defined networks with Synaptic,”in Proceedings of the 3rd IEEE Conference on Network Softwarization(NetSoft’17), 2017.[9] C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanovic, T. King,A. Reynolds, and C. Tinelli, “CVC4,” in Proc. 23rd Intl. Conf. ComputerAided Verification (CAV 2011), Snowbird, UT, USA, 2011, pp. 171–177.[10] T. Bouton, D. C. B. D. Oliveira, D. Déharbe, and P. Fontaine, “veriT: AnOpen, Trustable and Efficient SMT-Solver,” in Proc. 22nd InternationalConference on Automated Deduction (CADE-22), Montreal, Canada,2009, pp. 151–156.[11] R. Cavada, A. Cimatti, M. Dorigatti, A. Griggio, A. Mariotti, A. Micheli,S. Mover, M. Roveri, and S. Tonetta, “The nuXmv symbolic modelchecker,” in Proc. 26th Intl. Conf. Computer Aided Verification (CAV2014), Vienna, Austria, 2014, pp. 334–342.[12] N. Schnepf, S. Merz, R. Badonnel, and A. Lahmadi, “Towards gen-eration of sdn policies for protecting android environments based onautomata learning,” in Proceedings of the 16th Network Operations andManagement Symposium (IEEE/IFIP NOMS’18), 2018.[13] A. Lahmadi, F. Beck, E. Finickel, and O. Festor, “A platformfor the analysis and visualization of network flow data of androidenvironments,” IFIP/IEEE International Symposium on IntegratedNetwork Management (IM), May 2015, poster. [Online]. Available:https://hal.inria.fr/hal-01242911

Synaptic: A formal checker for SDN-based security policies

https://hal.archives-ouvertes.fr/hal-01892397/document

Synaptic: A formal checker for SDN-based security policies

Abstract

Similar works

Full text

Available Versions

INRIA a CCSD electronic archive server