Finding the Dark Cloud:
Static Analysis of
Cloud Configurations
Shriram Krishnamurthi
Brown University
1
A Cloud of Policies
Application Author:
end-user access-control, …
Datacenter Administrator:
firewalls, hypervisor Chinese Walls, …
Cloud-Based App Builder
2
Cloud-Based App Builder
“Need isolation at server
and network level”
—Shenoy
3
… and other dens of iniquity
4
5
6
employees
int
dmz
dmz
ext
contractors
manager
DMZ
7
tcp
www
blacklist
blacklist
telnet
tcp
smtp
tcp
www
8
ACL for External firewall:
1: DENY if: ifc=fw1_dmz, ipdest in blacklist
2: DENY if: ifc=fw1_ext, ipsrc in blacklist
3: DENY if: ifc=fw1_dmz, portdest=telnet
4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp
5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp
6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=manager
7: DROP otherwise
9
tcp
smtp
tcp
www

ipsrc
tcp
smtp
fw2_static
10
Problem
The manager can’t
connect to the Web.
11
Policy Analysis
Using Margrave
12
? When can a connection from the
manager’s PC be denied if it’s
 to port 80 (www)
 over TCP
 to any machine?
13
 p . p.dstprt = www  p.proto = TCP 
p.ipdest  outIPs  p.ipsrc = manager
Int.ACL denies p
  p’ . Int.NAT translates p to p’
 p’.dstprt = p.dstprt
 p’.proto = p.proto
 p’.ipdest = p.ipdest
 Ext.ACL denies p’
14
p.entry-interface = IntFW.int
p.ipsrc = manager
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.proto = tcp
p’ = p except
p’.entry-interface = ExtFW.dmz
p’.ipsrc = fw2_static
15
? When can a connection from the
manager’s PC be denied if it’s
 to port 80 (www)
 over TCP
 to any machine?
Always.
16
? …same query…,
but with rule-tracing enabled.
…same response…, with
 Int’s ACL accepts the packet via rule 4.
 Int’s NAT applies to the packet.
 Int’s ACL denies the post-NAT packet via
rule 7.
17
tcp
www
tcp
www
ipsrc
fw2_static
tcp
www
18
ACL for External firewall:
1: DENY if: ifc=fw1_dmz, ipdest in blacklist
2: DENY if: ifc=fw1_ext, ipsrc in blacklist
3: DENY if: ifc=fw1_dmz, portdest=telnet
4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp
5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp
6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=managerfw2_static
7: DROP otherwise
19
the
policy
satisfy
Does
its
property?
20
Can people state them?
Are they good enough?
“They tend to think
in terms of procedures,
rather than goals”
—Anderson
21
Help people with policy evolution:
study what has changed
22
 p . Int.ACL accepts p 
 p’ . Int.NAT translates p to p’
 p’.dstprt = p.dstprt
 p’.proto = p.proto
 p’.ipdest = p.ipdest
 ((Ext.ACL denies p’ 
Ext.ACLNew accepts p’) 
(Ext.ACL accepts p’ 
Ext.ACLNew denies p’))
23
Presenting “Change”
p.entry-interface = fw2_int
p.ipsrc = contractor
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = employee
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
packets
A function mapping
requests to
changes in outcome

Deny to Permit
Permit to Deny
24
p.entry-interface = fw2_int
p.ipsrc = manager
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = employee
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
Denied  Permit
p.entry-interface = fw2_int
p.ipsrc = contractor
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
25
Change as a First-Class Entity
• Restrict changes to External Firewall
View
• Which machines lost privileges?
Query
• Confirm no machines gained privileges
Verification
26
Configuration checking
Refactoring testing
?
“What if” questions
Upgrade checking
Finding “hotspots”
Mutation
testing
27
Scope of Margrave
• Most of XACML 1.0 and 2.0
• Cisco IOS:
–
–
–
–
ACL: standard and extended
NAT: static; dynamic: ACL-based, map-based
routing: static and policy-based
limited: BGP announcements and VPN endpoints
• Amazon Access Policy Language (in SQS)
• Hypervisor, based on sHype (IBM)
• A Datalog-based intermediate language
28
Performance
Production firewall (1108 rules): Production XACML policy:
Change-impact:
Verification:
Time: 2.5 sec
Time: <10 millisec
Space: baseline + 83 Mb
Space: baseline + 316 Kb
List all superfluous rules:
Change-impact:
Time: 10 min
Time: 2 millisec
Space: baseline + 467 Mb
Space: baseline + 16 Kb
29
Under the Hood
Translation into first-order logic
Propositionalize to BDDs and SAT
Bernays-Schönfinkel-Ramsey class
Extended to multi-sorted logic
Some small theories for networking
Aggregation to compress i. and o.
Rule-tracing  EDBs and IDBs in models
30
Upcoming Work
•
•
•
•
•
More sophisticated modeling of state
Visualization of output
Generating constraints on components
Suggesting repairs
Handling numerics
31
• Dan Dougherty [WPI]
• Kathi Fisler [WPI]
• Tim Nelson [WPI]
• Alums:
– Leo Meyerovich [Brown u.g.  Berkeley]
– Michael Tschantz [Brown u.g.  CMU]
http://www.margrave-tool.org/
32