R. Ceballos

On the complexity of program debugging using constraints for modeling the program's syntax and semantics

The use of model-based diagnosis for automated program debugging has been reported in several publications. The quality of the obtained results in terms of debugging accuracy is good. Unfortunately, most of the proposed models and techniques have very high computational needs. In this paper we focus on giving an explanation for the high computational needs of debugging. In particular, we propose a constraint representation of programs whose behavior is equivalent to the original programs. We further analyze the constraint representation to obtain its hypertree width, which is an indicator for the complexity of the corresponding constraint satisfaction problem. As constraint-based debugging is equivalent to constraint solving, the hypertree width is also an indicator for the debugging complexity. We further show that it is possible to construct arbitrarily complex programs such that their hypertree width is not bounded as indicated in previous literature.

CSP-Based Firewall Rule Set Diagnosis using Security Policies

The most important part of a firewall configuration process is the implementation of a security policy by a security administrator. However, this security policy is not designed by higher levels of the organisation, nor is written anywhere, so it is very usual to make mistakes in its implementation. To solve this problem we propose to express this global access control policy in some informal language that is translated to a model specification in conjunction with the firewall rule set. Then we construct a constraint satisfaction problem to detect and identify the possible inconsistencies between the specified policy and the firewall rule set

Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

The design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments.

AFPL, an Abstract Language Model for Firewall ACLs

Design and management of firewall rule sets is difficult and error prone, mainly because the translation of access control requirements to low level languages is difficult. Abstract languages have been proposed, but none have been adopted by the industry. We think that the main reason is that their complexity is close to many of the existing low level languages. Complexity is defined as the difficulty to express knowledge from the reality being modeled (access control requirements). In this paper, we analyze the most widely used firewall languages and different possibilities of abstraction. Based on this analysis, a model for Firewall languages is proposed, and a new simple yet expressive and powerful firewall abstract language, Abstract Firewall Policy Language (AFPL), is proposed. AFPL can then be translated to existing low level firewall languages, or be directly interpreted by firewall platforms. We expect that AFPL can fill the gap between requirements and low level firewall languages.

Diagnosing errors in dbc programs using constraint programming

Model-Based Diagnosis allows to determine why a correctly designed system does not work as it was expected. In this paper, we propose a methodology for software diagnosis which is based on the combination of Design by Contract, Model-Based Diagnosis and Constraint Programming. The contracts are specified by assertions embedded in the source code. These assertions and an abstraction of the source code are transformed into constraints, in order to obtain the model of the system. Afterwards, a goal function is created for detecting which assertions or source code statements are incorrect. The application of this methodology is automatic and is based on Constraint Programming techniques. The originality of this work stems from the transformation of contracts and source code into constraints, in order to determine which assertions and source code statements are not consistent with the specification.

Biology of Mastrus ridibundus (Gravenhorst), a potential biological control agent for area-wide management of Cydia pomonella (Linneaus) (Lepidoptera: Tortricidae).

The codling moth Cydia pomonella (Linnaeus) (Lepidoptera: Tortricidae) is a serious pest of pome fruit crops. A natural enemy of codling moth, the larval ectoparasitoid Mastrus ridibundus (Gravenhorst) (Hymenoptera: Ichneumonidae) has been imported into South America from the USA but little is known about the biology and ecology of the wasp, knowledge that is needed to design an efficient strategy of release and establishment. Experiments were carried out to assess important traits of the biology of the parasitoid in relation to its possible use as a biocontrol agent for codling moth. When M. ridibundus females were offered larvae ranging in weight from 37 to 78 mg, they oviposited more eggs on heavier hosts. In another study, the adult wasps were offered honey, diluted honey (10%) or pollen in paired choice tests and both males and females preferred honey over the other two foods. Females preferred 10% honey over pollen, while the males showed the opposite preference. Honey‐fed females lived longer than starved females. Adults died rapidly at 35°C, while they lived 20 days at 25°C and 12–17 days at 15°C. Female wasps had on average 25 ± 14 and 18 ± 11 progeny at 15 and 25°C, respectively, but they did not had progeny at 35°C. The development time (egg to adult emergence) was on average 44 ± 7 and 24 ± 2 days at 15 and 25°C respectively. Immature insects did not reach the adult stage at 35°C.

Developing a labelled object-relational constraint database architecture for the projection operator

Current relational databases have been developed in order to improve the handling of stored data, however, there are some types of information that have to be analysed for which no suitable tools are available. These new types of data can be represented and treated as constraints, allowing a set of data to be represented through equations, inequations and Boolean combinations of both. To this end, constraint databases were defined and some prototypes were developed. Since there are aspects that can be improved, we propose a new architecture called labelled object-relational constraint database (LORCDB). This provides more expressiveness, since the database is adapted in order to support more types of data, instead of the data having to be adapted to the database. In this paper, the projection operator of SQL is extended so that it works with linear and polynomial constraints and variables of constraints. In order to optimize query evaluation efficiency, some strategies and algorithms have been used to obtain an efficient query plan. Most work on constraint databases uses spatiotemporal data as case studies. However, this paper proposes model-based diagnosis since it is a highly potential research area, and model-based diagnosis permits more complicated queries than spatiotemporal examples. Our architecture permits the queries over constraints to be defined over different sets of variables by using symbolic substitution and elimination of variables.

NMUS: Structural Analysis for Improving the Derivation of All MUSes in Overconstrained Numeric CSPs

Models are used in science and engineering for experimentation, analysis, model-based diagnosis, design and planning/sheduling applications. Many of these models are overconstrained Numeric Constraint Satisfaction Problems (NCSP), where the numeric constraints could have linear or polynomial relations. In practical scenarios, it is very useful to know which parts of the overconstrained NCSP instances cause the unsolvability. Although there are algorithms to find all optimal solutions for this problem, they are computationally expensive, and hence may not be applicable to large and real-world problems. Our objective is to improve the performance of these algorithms for numeric domains using structural analysis. We provide experimental results showing that the use of the different strategies proposed leads to a substantially improved performance and it facilitates the application of solving larger and more realistic problems.

A Heuristic Process for Local Inconsistency Diagnosis in Firewall Rule Sets

Writing and managing firewall ACLs are hard and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design error, and indicates that the firewall is accepting traffic that should be denied or vice versa. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to diagnose inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding many aspects of the consistency management problem, which can prevent their use in a wide range of real-life situations. The most important one is that they give complete and minimal results, but their algorithmic complexity is too high, making the problem intractable for even reasonably-sized ACLs. In this paper we present an analysis of the consistency diagnosis problem in firewall ACLs. Based on this analysis, we propose to split the process in several parts that can be solved sequentially: inconsistency detection and isolation, inconsistent rules identification, and inconsistency characterization. Our algorithms are the first which can solve the detection, isolation, and identification problems in quadratic time complexity, giving complete but not necessarily minimal results. A theoretical complexity analysis as well as experimental results with real ACLs is given.

Fast Algorithms for Consistency-Based Diagnosis of Firewall Rule Sets

Firewalls provide the first line of defence of nearly all networked institutions today. However, Firewall ACL management suffer some problems that need to be addressed in order to be effective. The most studied one is rule set consistency. There is an inconsistency if different actions can be taken on the same traffic, depending on the ordering of the rules. In this paper a new algorithm to diagnose inconsistencies in firewall rule sets is presented. Although many algorithms have been proposed to address this problem, the presented one is a big improvement over them, due to its low algorithmic and memory complexity, even in worst case. In addition, there is no need to pre-process in any way the rule set previous to the application of the algorithms. We also present experimental results with real rule sets that validate our proposal.