Nicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan Merz
{"title":"基于规则的软件定义网络安全功能链综合","authors":"Nicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan Merz","doi":"10.14279/TUJ.ECEASST.76.1075.1042","DOIUrl":null,"url":null,"abstract":"Software-defined networks (SDN) offer a high degree of programmabil-ity for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":"{\"title\":\"Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks\",\"authors\":\"Nicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan Merz\",\"doi\":\"10.14279/TUJ.ECEASST.76.1075.1042\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Software-defined networks (SDN) offer a high degree of programmabil-ity for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.\",\"PeriodicalId\":115235,\"journal\":{\"name\":\"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.\",\"volume\":\"24 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-07-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"11\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.14279/TUJ.ECEASST.76.1075.1042\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14279/TUJ.ECEASST.76.1075.1042","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks
Software-defined networks (SDN) offer a high degree of programmabil-ity for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
