1 1 finding the dark cloud: static analysis of cloud configurations shriram krishnamurthi brown...
TRANSCRIPT
11
Finding the Dark Cloud:
Static Analysis ofCloud Configurations
Shriram KrishnamurthiBrown University
2
A Cloud of Policies
Application Author:end-user access-control, …
Datacenter Administrator:firewalls, hypervisor Chinese Walls,
…
Cloud-Based App Builder
3
Cloud-Based App Builder
“Need isolation at serverand network level”
—Shenoy
4
… and other dens of iniquity
5
6
7
int dmz dmz ext
DMZ
employees
contractors
manager
8
blacklistblacklist
telnet
wwwtcp
smtptcp
wwwtcp
9
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise
10
smtp
tcpwww
tcp
fw2_staticipsrc
smtptcp
11
Problem
The manager can’t connect to the
Web.
1212
Policy Analysis
Using Margrave
13
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
14
p . p.dstprt = www p.proto = TCP
p.ipdest outIPs p.ipsrc = managerInt.ACL denies p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’
15
p.entry-interface = IntFW.intp.ipsrc = managerp.ipdest in outIPsp.srcprt = any p.dstprt = wwwp.proto = tcpp’ = p except
p’.entry-interface = ExtFW.dmz p’.ipsrc = fw2_static
16
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
Always.
17
? …same query…,but with rule-tracing enabled.
…same response…, with Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Int’s ACL denies the post-NAT packet
via rule 7.
18
wwwtcp
fw2_staticipsrc
wwwtcp
wwwtcp
19
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=managerfw2_static
7: DROP otherwise
20
P⊦Does
thepolicy
satisfyits
property?
2121
P⊦“They tend to think
in terms of procedures,
rather than goals”
—Anderson
Can people state them?Are they good enough?
2222
P- P’
Help people with policy evolution:
study what has changed
23
p . Int.ACL accepts p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))
24
Presenting “Change”
p.entry-interface = fw2_int
p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
packets
Deny to
Permit
Permit to Deny
A function mapping
requests tochanges in outcome
25
p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
Denied Permit
26
Change as a First-Class Entity
• Restrict changes to External FirewallView
• Which machines lost privileges?Query
• Confirm no machines gained privileges
Verification
2727
Configuration checking
Upgrade checking Finding “hotspots”
“What if” questions
Mutationtesting
?
Refactoring testing
28
Scope of Margrave
• Most of XACML 1.0 and 2.0• Cisco IOS:
– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN
endpoints
• Amazon Access Policy Language (in SQS)• Hypervisor, based on sHype (IBM)• A Datalog-based intermediate language
29
Performance
Production firewall (1108 rules):Change-impact:
Time: 2.5 secSpace: baseline +
83 MbList all superfluous rules:
Time: 10 minSpace: baseline +
467 Mb
Production XACML policy:Verification:
Time: <10 millisecSpace: baseline +
316 KbChange-impact:
Time: 2 millisecSpace: baseline +
16 Kb
30
Under the Hood
Translation into first-order logicPropositionalize to BDDs and SATBernays-Schönfinkel-Ramsey class
Extended to multi-sorted logicSome small theories for networkingAggregation to compress i. and o.Rule-tracing EDBs and IDBs in models
31
Upcoming Work
• More sophisticated modeling of state
• Visualization of output• Generating constraints on
components• Suggesting repairs• Handling numerics
32
• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:
– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]
http://www.margrave-tool.org/