Skip to Main content Skip to Navigation
Journal articles

Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Nicolas Schnepf 1, 2 Rémi Badonnel 1 Abdelkader Lahmadi 1 Stephan Merz 2, 3
1 RESIST - Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
2 VERIDIS - Modeling and Verification of Distributed Algorithms and Systems
MPII - Max-Planck-Institut für Informatik, Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
3 MOSEL - Proof-oriented development of computer-based systems
LORIA - FM - Department of Formal Methods
Abstract : Software-defined networks (SDN) offer a high degree of programmabil-ity for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy.
Complete list of metadata

Cited literature [24 references]  Display  Hide  Download

https://hal.inria.fr/hal-02397981
Contributor : Rémi Badonnel Connect in order to contact the contributor
Submitted on : Wednesday, December 11, 2019 - 3:41:04 PM
Last modification on : Saturday, October 16, 2021 - 11:26:10 AM
Long-term archiving on: : Thursday, March 12, 2020 - 12:58:22 PM

File

hal.pdf
Files produced by the author(s)

Identifiers

Citation

Nicolas Schnepf, Rémi Badonnel, Abdelkader Lahmadi, Stephan Merz. Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks. Electronic Communications of the EASST, European Association of Software Science and Technology e.V, 2019, 076, ⟨10.14279/tuj.eceasst.76.1075.1042⟩. ⟨hal-02397981⟩

Share

Metrics

Record views

102

Files downloads

280