Cargando…
Verified iptables Firewall Analysis and Verification
This article summarizes our efforts around the formally verified static analysis of iptables rulesets using Isabelle/HOL. We build our work around a formal semantics of the behavior of iptables firewalls. This semantics is tailored to the specifics of the filter table and supports arbitrary match ex...
| Autores principales: | , , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Springer Netherlands
2018
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6044321/ https://www.ncbi.nlm.nih.gov/pubmed/30069072 http://dx.doi.org/10.1007/s10817-017-9445-1 |
| _version_ | 1783339462099468288 |
|---|---|
| author | Diekmann, Cornelius Hupel, Lars Michaelis, Julius Haslbeck, Maximilian Carle, Georg |
| author_facet | Diekmann, Cornelius Hupel, Lars Michaelis, Julius Haslbeck, Maximilian Carle, Georg |
| author_sort | Diekmann, Cornelius |
| collection | PubMed |
| description | This article summarizes our efforts around the formally verified static analysis of iptables rulesets using Isabelle/HOL. We build our work around a formal semantics of the behavior of iptables firewalls. This semantics is tailored to the specifics of the filter table and supports arbitrary match expressions, even new ones that may be added in the future. Around that, we organize a set of simplification procedures and their correctness proofs: we include procedures that can unfold calls to user-defined chains, simplify match expressions, and construct approximations removing unknown or unwanted match expressions. For analysis purposes, we describe a simplified model of firewalls that only supports a single list of rules with limited expressiveness. We provide and verify procedures that translate from the complex iptables language into this simple model. Based on that, we implement the verified generation of IP space partitions and minimal service matrices. An evaluation of our work on a large set of real-world firewall rulesets shows that our framework provides interesting results in many situations, and can both help and out-compete other static analysis frameworks found in related work. |
| format | Online Article Text |
| id | pubmed-6044321 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2018 |
| publisher | Springer Netherlands |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-60443212018-07-30 Verified iptables Firewall Analysis and Verification Diekmann, Cornelius Hupel, Lars Michaelis, Julius Haslbeck, Maximilian Carle, Georg J Autom Reason Article This article summarizes our efforts around the formally verified static analysis of iptables rulesets using Isabelle/HOL. We build our work around a formal semantics of the behavior of iptables firewalls. This semantics is tailored to the specifics of the filter table and supports arbitrary match expressions, even new ones that may be added in the future. Around that, we organize a set of simplification procedures and their correctness proofs: we include procedures that can unfold calls to user-defined chains, simplify match expressions, and construct approximations removing unknown or unwanted match expressions. For analysis purposes, we describe a simplified model of firewalls that only supports a single list of rules with limited expressiveness. We provide and verify procedures that translate from the complex iptables language into this simple model. Based on that, we implement the verified generation of IP space partitions and minimal service matrices. An evaluation of our work on a large set of real-world firewall rulesets shows that our framework provides interesting results in many situations, and can both help and out-compete other static analysis frameworks found in related work. Springer Netherlands 2018-01-03 2018 /pmc/articles/PMC6044321/ /pubmed/30069072 http://dx.doi.org/10.1007/s10817-017-9445-1 Text en © The Author(s) 2018 Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. |
| spellingShingle | Article Diekmann, Cornelius Hupel, Lars Michaelis, Julius Haslbeck, Maximilian Carle, Georg Verified iptables Firewall Analysis and Verification |
| title | Verified iptables Firewall Analysis and Verification |
| title_full | Verified iptables Firewall Analysis and Verification |
| title_fullStr | Verified iptables Firewall Analysis and Verification |
| title_full_unstemmed | Verified iptables Firewall Analysis and Verification |
| title_short | Verified iptables Firewall Analysis and Verification |
| title_sort | verified iptables firewall analysis and verification |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6044321/ https://www.ncbi.nlm.nih.gov/pubmed/30069072 http://dx.doi.org/10.1007/s10817-017-9445-1 |
| work_keys_str_mv | AT diekmanncornelius verifiediptablesfirewallanalysisandverification AT hupellars verifiediptablesfirewallanalysisandverification AT michaelisjulius verifiediptablesfirewallanalysisandverification AT haslbeckmaximilian verifiediptablesfirewallanalysisandverification AT carlegeorg verifiediptablesfirewallanalysisandverification |