Rafael M. Gasca

CSP-Based Firewall Rule Set Diagnosis using Security Policies

The most important part of a firewall configuration process is the implementation of a security policy by a security administrator. However, this security policy is not designed by higher levels of the organisation, nor is written anywhere, so it is very usual to make mistakes in its implementation. To solve this problem we propose to express this global access control policy in some informal language that is translated to a model specification in conjunction with the firewall rule set. Then we construct a constraint satisfaction problem to detect and identify the possible inconsistencies between the specified policy and the firewall rule set

Compliance validation and diagnosis of business data constraints in business processes at runtime

Business processes involve data that can be modified and updated by various activities at any time. The data involved in a business process can be associated with flow elements or data stored. These data must satisfy the business compliance rules associated with the process, where business compliance rules are policies or statements that govern the behaviour of a company. To improve and automate the validation and diagnosis of compliance rules based on the description of data semantics (called Business Data Constraints), we propose a framework where dataflow variables and stored data are analyzed. The validation and diagnosis process is automated using Constraint Programming, to permit the detection and identification of possibly unsatisfiable Business Data Constraints, even if the data involved in these constraints are not all instantiated. This implies that the potential errors can be determined in advance. Furthermore, a language to describe Business Data Constraints is proposed, for the improvement of user-oriented aspects of the business process description. This language allows a business expert to write Business Data Constraints that will be automatically validated in run-time, without the support of an information technology expert. HighlightsThis paper proposes an enlargement of the business process model for data values.A language is defined for Business Data Constraints associated to each activity.The validation and diagnosis is developed at runtime according to the data values.It permits an early identification of the non-compliance using Constraint Programming.

Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

The design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments.

Diagnosing correctness of semantic workflow models

To model operational business processes in an accurate way, workflow models need to reference both the control flow and dataflow perspectives. Checking the correctness of such workflow models and giving precise feedback in case of errors is challenging due to the interplay between these different perspectives. In this paper, we propose a fully automated approach for diagnosing correctness of semantic workflow models in which the semantics of activities are specified with pre and postconditions. The control flow and dataflow perspectives of a semantic workflow are modeled in an integrated way using Artificial Intelligence techniques (Integer Programming and Constraint Programming). The approach has been implemented in the DiagFlow tool, which reads and diagnoses annotated XPDL models, using a state-of-the-art constraint solver as back end. Using this novel approach, complex semantic workflow models can be verified and diagnosed in an efficient way.

AFPL, an Abstract Language Model for Firewall ACLs

Design and management of firewall rule sets is difficult and error prone, mainly because the translation of access control requirements to low level languages is difficult. Abstract languages have been proposed, but none have been adopted by the industry. We think that the main reason is that their complexity is close to many of the existing low level languages. Complexity is defined as the difficulty to express knowledge from the reality being modeled (access control requirements). In this paper, we analyze the most widely used firewall languages and different possibilities of abstraction. Based on this analysis, a model for Firewall languages is proposed, and a new simple yet expressive and powerful firewall abstract language, Abstract Firewall Policy Language (AFPL), is proposed. AFPL can then be translated to existing low level firewall languages, or be directly interpreted by firewall platforms. We expect that AFPL can fill the gap between requirements and low level firewall languages.

Diagnosing errors in dbc programs using constraint programming

Model-Based Diagnosis allows to determine why a correctly designed system does not work as it was expected. In this paper, we propose a methodology for software diagnosis which is based on the combination of Design by Contract, Model-Based Diagnosis and Constraint Programming. The contracts are specified by assertions embedded in the source code. These assertions and an abstraction of the source code are transformed into constraints, in order to obtain the model of the system. Afterwards, a goal function is created for detecting which assertions or source code statements are incorrect. The application of this methodology is automatic and is based on Constraint Programming techniques. The originality of this work stems from the transformation of contracts and source code into constraints, in order to determine which assertions and source code statements are not consistent with the specification.

Mesh Network Firewalling with Bloom Filters

The nodes of a multi-hop wireless mesh network often share a single physical media for terminal traffic and for the backhaul network, so that the available resources are extremely scarce. Under these conditions it is important to avoid that unwanted traffic may traverse the network subtracting resources to authorized terminals. Packet filtering in wireless mesh networks is an extremely challenging task, since the number of possible connections is quadratic with respect to the number of the terminals of the network; for each connection a rule is needed and the time needed for filtering grows linearly with the number of rules. Moreover nodes can be in possession of end users and the administrator might want to keep the explicit ruleset as much secret as possible while giving the nodes enough data to behave as a firewall. In this article we present a solution for distributed firewalling in multi-hop mesh networks based on the use of Bloom Filters, a powerful but compact data structure allowing probabilistic membership queries.

Efficient packet filtering in wireless ad hoc networks

Wireless ad hoc networks are an emerging technology. These networks are composed of mobile nodes and may adopt different topologies depending on the nature of the environment. Nevertheless, they are vulnerable to network layer attacks that cannot be neutralized easily. In wired networks, firewalls improve the level of security by means of packet filtering techniques that determine what traffic is allowed, thereby reducing the impact of such attacks. In this work, we overview the requirements to adapt firewalls to wireless ad hoc networks and highlight the advantages of the use of filtering techniques based on Bloom filters.

Developing a labelled object-relational constraint database architecture for the projection operator

Current relational databases have been developed in order to improve the handling of stored data, however, there are some types of information that have to be analysed for which no suitable tools are available. These new types of data can be represented and treated as constraints, allowing a set of data to be represented through equations, inequations and Boolean combinations of both. To this end, constraint databases were defined and some prototypes were developed. Since there are aspects that can be improved, we propose a new architecture called labelled object-relational constraint database (LORCDB). This provides more expressiveness, since the database is adapted in order to support more types of data, instead of the data having to be adapted to the database. In this paper, the projection operator of SQL is extended so that it works with linear and polynomial constraints and variables of constraints. In order to optimize query evaluation efficiency, some strategies and algorithms have been used to obtain an efficient query plan. Most work on constraint databases uses spatiotemporal data as case studies. However, this paper proposes model-based diagnosis since it is a highly potential research area, and model-based diagnosis permits more complicated queries than spatiotemporal examples. Our architecture permits the queries over constraints to be defined over different sets of variables by using symbolic substitution and elimination of variables.

Automating correctness verification of artifact-centric business process models

Artifact-centric business process models are fully automatically verified.Two correctness notions are verified: reachability and weak termination.The models integrate pre and postconditions defining the behavior of the services.Verification of numerical data, even for models formed by several artifacts.Novel verification algorithms check the correctness, offering precise diagnosis. ContextThe artifact-centric methodology has emerged as a new paradigm to support business process management over the last few years. This way, business processes are described from the point of view of the artifacts that are manipulated during the process. ObjectiveOne of the research challenges in this area is the verification of the correctness of this kind of business process models where the model is formed of various artifacts that interact among them. MethodIn this paper, we propose a fully automated approach for verifying correctness of artifact-centric business process models, taking into account that the state (lifecycle) and the values of each artifact (numerical data described by pre and postconditions) influence in the values and the state of the others. The lifecycles of the artifacts and the numerical data managed are modeled by using the Constraint Programming paradigm, an Artificial Intelligence technique. ResultsTwo correctness notions for artifact-centric business process models are distinguished (reachability and weak termination), and novel verification algorithms are developed to check them. The algorithms are complete: neither false positives nor false negatives are generated. Moreover, the algorithms offer precise diagnosis of the detected errors, indicating the execution causing the error where the lifecycle gets stuck. ConclusionTo the best of our knowledge, this paper presents the first verification approach for artifact-centric business process models that integrates pre and postconditions, which define the behavior of the services, and numerical data verification when the model is formed of more than one artifact. The approach can detect errors not detectable with other approaches.