No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Automated policy generation for testing access control software
Abstract
Access control systems (ACS) are a critical component of modern information technology systems and require rigorous testing. If the ACS has defects, then the deployment is not secure and is a threat to system security. Firewalls are an important example of an ACS, and formally verifying firewall systems has recently attracted attention. We present an automated software-testing tool, PG, for the production of firewall policies for use in firewall policy enforcement testing. PG utilizes a number of heuristic techniques to improve space coverage over traditional systems based on randomly generated firewall policies. An empirical study is presented demonstrating that PG generates firewall policies with superior coverage compared to traditional policy-generation techniques. The extension of PG beyond firewall systems to other ACS situations is outlined.
ResearchGate has not been able to resolve any citations for this publication.
Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.
Packet flltering plays a critical role in many of the current high speed network technologies such as flrewalls and IPSec devices. The optimization of flrewall policies is critically important to provide high performance packet flltering par- ticularly for high speed network security. Current packet fll- tering techniques exploit the characteristics of the flltering policies, but they do not consider the tra-c behavior in op- timizing their search data structures. This results in imprac- tically high space complexity, which undermines the perfor- mance gain ofiered by these techniques. Also, these tech- niques ofier upper bounds for the worst case search times; nevertheless, average case scenarios are not necessarily op- timized. Moreover, the types of packet flltering flelds used in most of these techniques are limited to IP header flelds and cannot be generalized to cover transport and application layer flltering. In this paper, we present a novel technique that utilizes Internet tra-c characteristics to optimize flrewall flltering policies. The proposed technique timely adapts to the traf- flc conditions using actively calculated statistics to dynam- ically optimize the ordering of packet flltering rules. The rule importance in tra-c matching as well as its depen- dency on other rules are both considered in our optimiza- tion algorithm. Through extensive evaluation experiments using simulated and real Internet tra-c traces, the proposed mechanism is shown to be e-cient and easy to deploy in practical flrewall implementations.
We present an optimization technique for model-based generation of test cases for firewalls. Starting from a formal model for firewall policies in higher-order logic, we derive a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage. The correctness of the rules and the algorithm is established by formal proofs in Isabelle/HOL. Finally, we use the normalized policies to generate test cases with the domain-specific firewall testing tool HOL-TestGen/FW. The resulting procedure is characterized by a gain in efficiency of two orders of magnitude. It can handle configurations with hundreds of rules such as frequently occur in practice. Our approach can be seen as an instance of a methodology to tame inherent state-space explosions in test case generation for security policies.
With the significant development of mobile commerce, privacy becomes a major concern for both customers and enterprises. Although
data generalization can provide significant protection of an individual’s privacy, over-generalized data may render data of
little value or useless. In this paper, we devise generalization boundary techniques to maximize data usability while, minimizing
disclosure of privacy. Inspired by the fact that the permissible generalization level results in a much finer level access
control, we propose a privacy-aware access control model in web service environments. We also analyze how to manage a valid
access process through a trust-based decision and ongoing access control policies. The extensive experiments on both real-world
and synthetic data sets show that the proposed privacy aware access control model is practical and effective.
A global education system, as a key area in future IT, has fostered developers to provide various learning systems with low cost. While a variety of e-learning advantages has been recognized for a long time and many advances in e-learning systems have been implemented, the needs for effective information sharing in a secure manner have to date been largely ignored, especially for virtual university collaborative environments. Information sharing of virtual universities usually occurs in broad, highly dynamic network-based environments, and formally accessing the resources in a secure manner poses a difficult and vital challenge. This paper aims to build a new rule-based framework to identify and address issues of sharing in virtual university environments through role-based access control (RBAC) management. The framework includes a role-based group delegation granting model, group delegation revocation model, authorization granting, and authorization revocation. We analyze various revocations and the impact of revocations on role hierarchies. The implementation with XML-based tools demonstrates the feasibility of the framework and authorization methods. Finally, the current proposal is compared with other related work.
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraint-generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of off-the-shelf constraint solvers makes this approach even more compelling. However, there are few, if any, effective and sufficiently expressive off-the-shelf solvers for string constraints generated by analysis techniques for string-manipulating programs. We designed and implemented Hampi, a solver for string constraints over bounded string variables. Hampi constraints express membership in regular languages and bounded context-free languages. Hampi constraints may contain context-free-language definitions, regular-language definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable. Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi's source code, documentation, and the experimental data are available at http://people.csail.mit.edu/akiezun/hampi.
The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure required security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles. In this paper, we present a framework for automatic testing of the firewall policy enforcement or implementation using efficient random traffic and policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the policy generation, test cases generation, capturing and analyzing firewall out put, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing.
Firewall development and implementation are constantly being improved to accommodate higher security and performance standards. Using reliable yet practical techniques for testing new packet filtering algorithms and firewall design implementations from a functionality point of view becomes necessary to assure the required security. In this paper, an efficient paradigm for automated testing of firewalls with respect to their internal implementation and security policies is proposed. We propose a novel firewall testing technique using policy-based segmentation of the traffic address space, which can intelligently adapt the test traffic generation to target potential erroneous regions in the firewall input space. We also show that our automated approach of test case generation, analyzing firewall logs and creating testing reports not only makes the problem solvable but also offers a significantly higher degree of confidence than random testing.
Firewalls are core elements in network security. However, managing firewall rules, especially for enterprise networks, has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition, inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and other rules in order to determine the proper order of this rule and commit the updates. In this paper we present a set of techniques and algorithms that provide automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls, and anomaly-free policy editing for rule insertion, removal, and modification. This is implemented in a user-friendly tool called ¿Firewall Policy Advisor.¿ The Firewall Policy Advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule misconfiguration.
Our paper proposes an implementable procedure for using the method of quasi-random sequences in software debug testing. In random testing, the sequence of tests (if considered as points in an -dimensional unit hypercube) will give rise to regions where there are clusters of points, as well as underpopulated regions. Quasi-random sequences, also known as low-discrepancy or low-dispersion sequences, are sequences of points in such a hypercube that are spread more evenly throughout. Based on the observation that program faults tend to lead to contiguous failure regions within a program's input domain, and that an even spread of random tests enhances the failure detection effectiveness for certain failure patterns, we examine the use of quasi-random sequences as a replacement for random sequences in automated testing. Because there are only a small number of quasi-random sequence generation algorithms, and each of them can only generate a small number of distinct sequences, the applicability of quasi-random sequences in testing real programs is severely restricted. To alleviate this problem, we examine the use of two types of randomized quasi-random sequences, which are quasi-random sequences permuted in a nondeterministic fashion in such a way as to retain their low discrepancy properties. We show that testing using randomized quasi-random sequences is often significantly more effective than random testing.
An automated process for generating test inputs for web services from a WSDL is presented. A grammatical representation of the web service is extracted from the WSDL and used to produce test cases. A context-free grammar (CFG) is generated from the XSD that is stored in the WSDL. The CFG is provided as input into a constraint-satisfaction problem solver to automatically generate a diverse set of structurally correct XML documents. Testing data is then inserted into the XML templates in accordance with any constraints specified in the XSD. Web service-specific testing can be performed with the inclusion of external datasets and service-specific configurations.
Test case prioritization aims to schedule test cases in a certain order such that the effectiveness of regression testing can be improved. Prioritization using random sequence is a basic and simple technique, and normally acts as a benchmark to evaluate other prioritization techniques. Adaptive Random Sequence (ARS) makes use of extra information to improve the diversity of random sequence. Some researchers have proposed prioritization techniques using ARS with white-box code coverage information that is normally related to the test execution history of previous versions. In this paper, we propose several ARS-based prioritization techniques using black-box information. The proposed techniques schedule test cases based on the string distances of the input data, without referring to the execution history. Our experimental studies show that these new techniques deliver higher fault-detection effectiveness than random prioritization. In addition, as compared with an existing blackbox prioritization technique, the new techniques have similar fault-detection effectiveness but much lower computation overhead, and thus are more cost-effective.
We compare empirically accuracy and speed of low-discrepancy sequence generators of I. M. Sobol and H. Faure. These generators are useful for multidimensional integration and global optimization. We discuss our implementation of the Sobol generator.
Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf products, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case generation approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented. Copyright © 2014 John Wiley & Sons, Ltd.
Security concerns are becoming increasingly critical in networked systems. Firewalls provide important defense for network security. However, misconfigurations in firewalls are very common and significantly weaken the desired security. This paper introduces FIREMAN, a static analysis toolkit for firewall modeling and analysis. By treating firewall configurations as specialized programs, FIREMAN applies static analysis techniques to check misconfigurations, such as policy violations, inconsistencies, and inefficiencies, in individual firewalls as well as among distributed firewalls. FIREMAN performs symbolic model checking of the firewall configurations for all possible IP packets and along all possible data paths. It is both sound and complete because of the finite state nature of firewall configurations. FIREMAN is implemented by modeling firewall rules using binary decision diagrams (BDDs), which have been used successfully in hardware verification and model checking. We have experimented with FIREMAN and used it to uncover several real misconfigurations in enterprise networks, some of which have been subsequently confirmed and corrected by the administrators of these networks.
Random testing is a low cost strategy that can be applied to a wide range of testing problems. While the cost and straightforward application of random testing are appealing, these benefits must be evaluated against the reduced effectiveness due to the generality of the approach. Recently, a number of novel techniques, coined Adaptive Random Testing, have sought to increase the effectiveness of random testing by attempting to maximize the testing coverage of the input domain. This paper presents the novel application of an evolutionary search algorithm to this problem. The results of an extensive simulation study are presented in which the evolutionary approach is compared against the Fixed Size Candidate Set (FSCS), Restricted Random Testing (RRT), quasi-random testing using the Sobol sequence (Sobol), and random testing (RT) methods. The evolutionary approach was found to be superior to FSCS, RRT, Sobol, and RT amongst block patterns, the arena in which FSCS, and RRT have demonstrated the most appreciable gains in testing effectiveness. The results among fault patterns with increased complexity were shown to be similar to those of FSCS, and RRT; and showed a modest improvement over Sobol, and RT. A comparison of the asymptotic and empirical runtimes of the evolutionary search algorithm, and the other testing approaches, was also considered, providing further evidence that the application of an evolutionary search algorithm is feasible, and within the same order of time complexity as the other adaptive random testing approaches.
This paper presents work on generation of specification-driven test cases based on quasirandom (low-discrepancy) sequences instead of pseudorandom numbers. This approach is novel in software testing. This enhanced uniformity of quasirandom sequences leads to faster generation of test cases covering all possibilities. We demonstrate by examples that quasirandom sequences can be a viable alternative to pseudorandom numbers in generating test cases. In this paper, we present a method that can generate test cases from a decision table specification more effectively via quasirandom numbers. Analysis of a simple problem in this paper shows that quasirandom sequences achieve better data than pseudorandom numbers, and have the potential to converge faster and so reduce the computational burden. The use of different quasirandom sequences for generating test cases is presented in this this paper
Firewalls are a cornerstone of todays security infrastructure for networks. Their configuration, implementing a firewall policy, is inherently complex, hard to understand, and difficult to validate.
We present a substantial case study performed with the model-based testing tool TestGen. Based on a formal model of firewalls and their policies in higher-order logic hol, we first present a derived theory for simplifying policies. We discuss different test plans for test specifications. Finally, we show how to integrate these issues to a domain-specific firewall testing tool holTestGen/fw.
A measure of efficiency of simultaneous methods for determination of polynomial zeros, defined by the coefficient of efficiency, is considered. This coefficient takes into consideration (1) the R-order of convergence in the sense of the definition introduced ...
Security policies are an essential part in the operations of any networking system. Test policies are always needed for conducting research and development. Such policies are required in various phases of research related to many problems as performance optimization, device testing, and configuration analysis. In this paper, we introduce a novel technique that utilizes trace repositories to generate traffic-driven firewall policies. An online clustering mechanism is designed and developed to infer rule criteria and policy structure from the traffic. The approach generates policies relevant to the environment while satisfying structural features specified by testing requirements. Clustering parameters are tuned to fit the need of the testing domain. High level structural features (policy size, distinct rules, rule specificity, etc) are mapped to algorithm input parameters. The technique evaluation shows the flexibility as well as the accuracy of the generated policies compared to actual administrator-defined policies.
We propose a novel method, called PathCrawler, for the automatic generation of structural tests satisfying the all-paths criterion or its k-path variant. The source code is instrumented so as to recover the symbolic execution path each time that the program under test is executed. This code is first executed using inputs arbitrarily selected from the input domain. The resulting symbolic path is transformed into a path predicate by projection of the conditions onto the input variables. The next test is obtained by using constraint logic programming to find new input values outside the domain of the path which is already covered. The instrumented code is then executed on this test and so on, until all feasible paths have been covered. Our method combines static and dynamic analysis in a way that avoids the disadvantages of both. It is currently being implemented for the C language.
Given a context free grammar #CFG# G and an integer n #= 0 we present an algorithm for generating strings derivable from the grammar of length n such that all strings of length n are equally likely. The algorithm requires a pre-processing stage which calculates the number of strings of length k#= n derivable from each post#x # where A ! ## is a production from the grammar. This step requires O#n 2 # time and O#n 2 # space. The subsequent string generation step uses these counts to generate a string in O#n# time and O#n# space. Key words: Analysis of algorithms, Context-free languages, Uniform random generation, memoization. 1 Introduction Let G =#N;T;P;S#beaCFG where N is a set of non-terminal symbols, T is a set of teminal symbols, P is a set of productions of the form A ! # #A 2 N , # 2 #N # T # # # and start symbol S 2 N . This paper is concerned with the problem of generating strings at random derivable from G. Such strings can be used to test parsers and, by introducing e...
Evaluation and testing of internet firewalls
- K Al-Tawil
- I A Al-Kaltham
Firewalls: Jumpstart for network and systems administrators
- J R Vacca
- S Ellis
Network protocols handbook
- Javvin Technologies
