11

Finding the Dark Cloud:

Static Analysis ofCloud Configurations

Shriram KrishnamurthiBrown University

2

A Cloud of Policies

Application Author:end-user access-control, …

Datacenter Administrator:firewalls, hypervisor Chinese Walls,

…

Cloud-Based App Builder

3

Cloud-Based App Builder

“Need isolation at serverand network level”

—Shenoy

4

… and other dens of iniquity

5

6

7

int dmz dmz ext

DMZ

employees

contractors

manager

8

blacklistblacklist

telnet

wwwtcp

smtptcp

wwwtcp

9

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise

10

smtp

tcpwww

tcp

fw2_staticipsrc

smtptcp

11

Problem

The manager can’t connect to the

Web.

1212

Policy Analysis

Using Margrave

13

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

14

p . p.dstprt = www p.proto = TCP

p.ipdest outIPs p.ipsrc = managerInt.ACL denies p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’

15

p.entry-interface = IntFW.intp.ipsrc = managerp.ipdest in outIPsp.srcprt = any p.dstprt = wwwp.proto = tcpp’ = p except

p’.entry-interface = ExtFW.dmz p’.ipsrc = fw2_static

16

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

Always.

17

? …same query…,but with rule-tracing enabled.

…same response…, with Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Int’s ACL denies the post-NAT packet

via rule 7.

18

wwwtcp

fw2_staticipsrc

wwwtcp

wwwtcp

19

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=managerfw2_static

7: DROP otherwise

20

P⊦Does

thepolicy

satisfyits

property?

2121

P⊦“They tend to think

in terms of procedures,

rather than goals”

—Anderson

Can people state them?Are they good enough?

2222

P- P’

Help people with policy evolution:

study what has changed

23

p . Int.ACL accepts p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))

24

Presenting “Change”

p.entry-interface = fw2_int

p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_int

p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

packets

Deny to

Permit

Permit to Deny

A function mapping

requests tochanges in outcome

25

p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

Denied Permit

26

Change as a First-Class Entity

• Restrict changes to External FirewallView

• Which machines lost privileges?Query

• Confirm no machines gained privileges

Verification

2727

Configuration checking

Upgrade checking Finding “hotspots”

“What if” questions

Mutationtesting

?

Refactoring testing

28

Scope of Margrave

• Most of XACML 1.0 and 2.0• Cisco IOS:

– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN

endpoints

• Amazon Access Policy Language (in SQS)• Hypervisor, based on sHype (IBM)• A Datalog-based intermediate language

29

Performance

Production firewall (1108 rules):Change-impact:

Time: 2.5 secSpace: baseline +

83 MbList all superfluous rules:

Time: 10 minSpace: baseline +

467 Mb

Production XACML policy:Verification:

Time: <10 millisecSpace: baseline +

316 KbChange-impact:

Time: 2 millisecSpace: baseline +

16 Kb

30

Under the Hood

Translation into first-order logicPropositionalize to BDDs and SATBernays-Schönfinkel-Ramsey class

Extended to multi-sorted logicSome small theories for networkingAggregation to compress i. and o.Rule-tracing EDBs and IDBs in models

31

Upcoming Work

• More sophisticated modeling of state

• Visualization of output• Generating constraints on

components• Suggesting repairs• Handling numerics

32

• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:

– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]

http://www.margrave-tool.org/