FSL: A Flow-based Security Language

1
FSLA Flow-based Security Language

• Tim Hinrichs
• Natasha Gude
• Martìn Casado
• John Mitchell
• Scott Shenker

University of Chicago Nicira Networks Nicira
Networks Stanford University UC Berkeley
2
Local Area Networks
3
Network Policy Examples

• Every wireless guest user must send HTTP
  requests through an HTTP proxy.
• No phone can communicate with any private
  computer.
• Superusers have no communication restrictions.
• Laptops cannot receive incoming connections.

4
NOX a Network Architecture(Ethanes successor)
App 1
NOX Controller
Network View
App 2
App 3
PC
OF Switch
Wireless OF Switch
OF Switch
See Gude2008
Off-the-shelf hosts
5
NOX Operation
6
NOX Operation
SECURITY POLICY
7
NOX Operation
8
FSL

• FSL Flow Security Language
• FSL balances the desires to make
• expressing network policies natural and
• implementing policies efficient.

9
A Datalog Variant

• Syntax
• h - b1,,bn,?c1,,?cm
• h must exist.
• Every variable in the body must appear in h.
• Nonrecursive sentence sets.
• Semantics
• Statement order is irrelevant.
• Every sentence set is satisfied by exactly one
  model.

10
Network Flows

• Protocol

• User source
• Host source
• Access point source

• User target
• Host target
• Access point target

• Keywords for constraining flow route
• allow allow the flow
• deny deny the flow
• visit force the flow to pass through an
  intermediary
• avoid forbid the flow from passing through an
  intermediary
• ratelimit limit on Mb/second

11
Keyword deny

• No phone can communicate with any private
  computer.
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• phone(Hsrc) , private(Htgt)
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• private(Hsrc) , phone(Htgt)
• private(X) - laptop(X)
• private(X) - desktop(X)

12
Keyword visit

• Every wireless guest user must send HTTP
  requests through a proxy.
• visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy
  ) -
• guest(Usrc) , wireless(Asrc) , Prothttp

13
Operation

• Given FSL policy ? and
• flow ltus,hs,as,ut,ht,at,pgt, ask
• ? deny(us,hs,as,ut,ht,at,p)
• ? allow(us,hs,as,ut,ht,at,p)
• X ? visit(us,hs,as,ut,ht,at,p,X)
• X ? avoid(us,hs,as,ut,ht,at,p,X)
• X ? ratelimit(us,hs,as,ut,ht,at,p,X)

14
FSL Complexity

• Query processing is PSPACE-complete in the size
  of the policy for an arbitrary query.
• When queries are restricted to keywords, query
  processing takes polynomial time in the size of
  the policy.
• If the tallest possible call stack (path through
  the dependency graph) is 1, then query processing
  takes linear time in the size of the policy.

15
Compilation Example

• No phone can communicate with any private
  computer.
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• phone(Hsrc) , private(Htgt)
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• private(Hsrc) , phone(Htgt)
• private(X) - laptop(X)
• private(X) - desktop(X)

16
Compilation Example

• bool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)
• return (phone(Hsrc) private(Htgt))
• (private(Hsrc) phone(Htgt))
• bool private(X)
• return laptop(X) desktop(X)
• Assume the existence of functions for phone,
  laptop, desktop.

17
Deployment Experiences

• On a small internal network (about 50 hosts), NOX
  has been in use over a year, and FSL has been in
  use for 10 months.
• We are preparing for two larger deployments (of
  hundreds and thousands of hosts).
• So far, policies are expressed over just a few
  classes of objects.
• Thus, we expect policies to grow slowly with the
  number of principals.

18
Questions
19
References

• Gude2008 N. Gude, et. al. NOX Towards an
  Operating System for Networks. Computer
  Communications Review 2008.
• Hinrichs2009 T. Hinrichs, et. al. Design and
  Implementation of a Flow-based Security Language.
  Under review. Available upon request.

20
Related Work Comparison

• Limitations
• Not using FOL, Modal logic, Linear logic
• No existential variables
• No recursion
• Fixed conflict resolution scheme
• No delegation
• No history/future-dependent policies
• Centralized enforcement
• Limited metalevel operations
• Novel language features
• Access control decisions are constraints.
• Conflict resolution produces constraint set

For citations, see Hinrichs2009.
21
Backup
22
FSL Features

• Logical language Distributed policy authorship
• External references
• Conflicts, conflict detection, conflict
  resolution
• Incremental policy authorship via priorities
• Analyzability
• High Performance 104-105 queries/second
• Layered language

Prioritization
Conflicts
Keywords
Logic
Data
23
Conflicts

• Conflicts are vital in collaborative settings
  because they allow administrators to express
  their true intentions.
• Authorization systems cannot enforce conflicting
  security policies.

24
FSL Usage Overview
Policy 1
Policy n

Combined Policy
Analysis Engine
Authorization System
25
Conflict Resolution

• No conflicts conflicts are errors.
• Most restrictive choose instructions that give
  users the least rights.
• Most permissive choose policy instructions that
  give users the most rights.
• Cancellation a flow with conflicting constraints
  has no constraints.

26
Conflict Resolution as a Tool

• Fixing the conflict resolution mechanism allows
  certain policies to be expressed very simply.
• Example (Open Policy) allow everything not
  explicitly denied.
• allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• phone(Hsrc) , private(Htgt)
• deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
• private(Hsrc) , phone(Htgt)

27
Incremental Policy Authoring

• To tighten a FSL policy, one needs only to add
  statements to it.
• The conflict resolution strategy ensures that the
  most restrictive constraints are used.
• To relax a FSL policy, it is therefore
  insufficient to simply add statements.

28
Prioritized Policies

• Borrow a mechanism from Cascading Style Sheets
  (CSS).
• To relax security incrementally, FSL allows one
  policy to be overridden by another policy.
• P1 lt P2
• A request constrained by P2 is only constrained
  by P2.

29
Example

• P1
• P2
• allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) ?
  Usrcceo

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
superuser(Usrc) superuser(bob) superuser(alice) de
ny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) -
phone(Hsrc) , private(Htgt) deny(Usrc,Hsrc,Asrc,Ut
gt,Htgt,Atgt,Prot) - private(Hsrc) ,
phone(Htgt) private(X) - laptop(X) private(X) -
desktop(X) visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Pro
t,httpproxy) - guest(Usrc) , wireless(Asrc) ,
Prothttp allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh)
- ?guest(Usrc) , server(Htgt)
30
Cascaded Policy Combination
Policy 1,m1
Policy n,mn


Policy 1,2
Policy n,2

Policy 1,1
Policy n,1
Combined Policy
31
Cascaded Policy Combination

1. Flatten cascades.
2. Combine results.

Policy 1
Policy n

Combined Policy
32
Features

• Distributed policy authorship
• External references
• Conflict detection/resolution
• Incremental policy authorship via priorities
• Analyzability
• High Performance 104 queries/second
• Layered language

Prioritization
Conflict Resolution
Keywords
Logic
Data
33
Analysis Algorithms

• Flattened Cascade a policy cascade expressed as
  a flat policy.
• Group Normal Form every rule body consists only
  of external references (and ).
• Conflict Conditions conditions on external
  references under which there will be a conflict.
• Conflict-free Normal Form equivalent policy
  (under conflict resolution) without conflicts.

34
10-5 seconds
Operation
Avg. Seconds
true false 2.7 x 10-9
function f (x y) (x y)) f(true,false) 3.8 x 10-8
equalp (mary had a little lamb, Mary Had A Little Lamb) 2.1 x 10-6
samep (p(X,Y,X,a), p(Z,T,Z,a)) 6.7 x 10-6
matchp (p(X,Y,X,a), p(b,c,b,a)) 7.3 x 10-6
mgup (p(X,c,X,a), p(b,T,Z,a)) 1.3 x 10-5
unifyp (p(X,c,X,a), p(b,T,Z,a)) 2.7 x 10-5
35
Implementation Tests
Flows/s Mem (MB) Rule Matches
0 rules 103,699 0 0
100 rules 100,942 1 2
500 rules 85,373 1 4
1,000 rules 76,336 2 10
5,000 rules 54,416 9 30
10,000 rules 46,956 38 52
36
Ongoing Work

• Currently, each flow initiation requires
  contacting a central controller.
• The route for that flow is cached at the router.
• Working to generalize this caching scheme.
• Each trip to the central controller caches more
  than just the route for one flow.