Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.

Similar presentations


Presentation on theme: "1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University."— Presentation transcript:

1 1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University

2 2 A Cloud of Policies Application Author: end-user access-control, … Datacenter Administrator: firewalls, hypervisor Chinese Walls, … Cloud-Based App Builder

3 3 Need isolation at server and network level Shenoy

4 4 … and other dens of iniquity

5 5

6 6

7 7 intdmz ext DMZ employees contractors manager

8 8 blacklist telnet www tcp smtp tcp www tcp

9 9 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

10 10 smtp tcp www tcp fw2_staticipsrc smtp tcp

11 11 Problem The manager cant connect to the Web.

12 12 Policy Analysis Using Margrave

13 13 ?When can a connection from the managers PC be denied if its to port 80 (www) over TCP to any machine?

14 14 p.p.dstprt = www p.proto = TCP p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p. Int.NAT translates p to p p.dstprt = p.dstprt p.proto = p.proto p.ipdest = p.ipdest Ext.ACL denies p

15 15 p.entry-interface = IntFW.int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.proto = tcp p = p except p.entry-interface = ExtFW.dmz p.ipsrc = fw2_static

16 16 ?When can a connection from the managers PC be denied if its to port 80 (www) over TCP to any machine? Always.

17 17 ?…same query…, but with rule-tracing enabled. …same response…, with Ints ACL accepts the packet via rule 4. Ints NAT applies to the packet. Ints ACL denies the post-NAT packet via rule 7.

18 18 www tcp fw2_staticipsrc www tcp www tcp

19 19 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

20 20 P Does the policy satisfy its property?

21 21 P They tend to think in terms of procedures, rather than goals Anderson Can people state them? Are they good enough?

22 22 P - P Help people with policy evolution: study what has changed

23 23 p.Int.ACL accepts p p. Int.NAT translates p to p p.dstprt = p.dstprt p.proto = p.proto p.ipdest = p.ipdest ((Ext.ACL denies p Ext.ACLNew accepts p) (Ext.ACL accepts p Ext.ACLNew denies p))

24 24 Presenting Change p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp packets Deny to Permit Permit to Deny A function mapping requests to changes in outcome

25 25 p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp Denied Permit

26 26 Change as a First-Class Entity Restrict changes to External Firewall View Which machines lost privileges? Query Confirm no machines gained privileges Verification

27 27 Configuration checking Upgrade checkingFinding hotspots What if questions Mutation testing ? Refactoring testing

28 28 Scope of Margrave Most of XACML 1.0 and 2.0 Cisco IOS: –ACL: standard and extended –NAT: static; dynamic: ACL-based, map-based –routing: static and policy-based –limited: BGP announcements and VPN endpoints Amazon Access Policy Language (in SQS) Hypervisor, based on sHype (IBM) A Datalog-based intermediate language

29 29 Performance Production firewall (1108 rules): Change-impact: Time: 2.5 sec Space: baseline + 83 Mb List all superfluous rules: Time: 10 min Space: baseline Mb Production XACML policy: Verification: Time: <10 millisec Space: baseline Kb Change-impact: Time: 2 millisec Space: baseline + 16 Kb

30 30 Under the Hood Translation into first-order logic Propositionalize to BDDs and SAT Bernays-Schönfinkel-Ramsey class Extended to multi-sorted logic Some small theories for networking Aggregation to compress i. and o. Rule-tracing EDBs and IDBs in models

31 31 Upcoming Work More sophisticated modeling of state Visualization of output Generating constraints on components Suggesting repairs Handling numerics

32 32 Dan Dougherty [WPI] Kathi Fisler [WPI] Tim Nelson [WPI] Alums: –Leo Meyerovich [Brown u.g. Berkeley] –Michael Tschantz [Brown u.g. CMU]


Download ppt "1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University."

Similar presentations


Ads by Google