A Security Policy Model Transformation and

Verification Approach for Software Defined

Networking

Yunfei Menga, Zhiqiu Huanga, Guohua Shena, Changbo Keb

aCollege of Computer Science and Technology, Nanjing University of Aeronautics andAstronautics, Nanjing 211106, China

bSchool of Computer Science and Technology, Nanjing University of Posts andTelecommunications, Nanjing 210023, China

Abstract

Software defined networking (SDN) has been adopted to enforce the secu-rity of large-scale and complex networks because of its programmable, ab-stract, centralized intelligent control and global and real-time traffic view.However, the current SDN-based security enforcement mechanisms requirenetwork managers to fully understand the underlying configurations of net-work. Facing the increasingly complex and huge SDN networks, we urgentlyneed a novel security policy management mechanism which can be com-pletely transparent to any underlying information. That is it can permitnetwork managers to define upper-level security policies without containingany underlying information of network, and by means of model transforma-tion system, these upper-level security policies can be transformed into theircorresponding lower-level policies containing underlying information auto-matically. Moreover, it should ensure system model updated by the generatedlower-level policies can hold all of security properties defined in upper-levelpolicies. Based on these insights, we propose a security policy model trans-formation and verification approach for SDN in this paper. We first presentthe formal definition of a security policy model (SPM) which can be used tospecify the security policies used in SDN. Then, we propose a model trans-formation system based on SDN system model and mapping rules, whichcan enable network managers to convert SPM model into corresponding un-derlying network configuration policies automatically, i.e., flow table model(FTM). In order to verify SDN system model updated by the generated FTMmodels can hold the security properties defined in SPM models, we design

Preprint submitted to Elsevier June 1, 2020

arX

iv:2

005.

1320

6v2

[cs

.CR

] 2

9 M

ay 2

020

a security policy verification system based on model checking. Finally, weutilize a comprehensive case to illustrate the feasibility of the proposed ap-proach.

Keywords: SDN, security policy, model transformation, consistencyvalidation.

1. Introduction

. Currently software-defined networking (SDN) [1] has been adopted to en-force the security of large-scale and complex networks because of its pro-grammable, abstract, centralized intelligent control and global and real-timetraffic view. For instances, Garay et al [2] proposed a SDN-based networkaccess control mechanism, flownac, which is a centralized EAP (ExtensibleAuthentication Protocol) based on terminal security authentication methodfor IEEE 802.1x wireless local area network (WLAN). Yakasai et al [3] pro-posed the flowidentity network access control mechanism. This mechanismintegrates EAP security authentication mechanism into SDN controller, andthen uses custom firewall policy to control terminal access. Hu et al [4] pro-posed a dynamic firewall mechanism based on SDN, flowguard. With thismechanism, network administrators can flexibly customize different types offirewall policies and authenticate different types of network devices. Ko-erner et al [5] proposed a device security authentication mechanism basedon MAC address and SDN. This mechanism uses the floodlight controller tomap the MAC address of the laptop to the corresponding VLAN address inthe network. Because the MAC address is static, it can ensure the securityauthentication of the mobile workstation. However, current SDN-based secu-rity enforcement mechanisms require network managers to fully understandthe detailed underlying configurations of network (such as MAC address, IPaddress, VLAN ID, network type and etc.) and then load these security poli-cies (such as access control policies or firewall policies) containing underlyinginformation of the network into the SDN controller by means of control pro-grams or manual input. However, facing the increasingly complex and hugeSDN networks, traditional security policy management is becoming more andmore difficult because it is nearly impossible for network managers to fullyunderstand all of underlying configurations. Moreover, with the emergenceof multi-controller SDN [6], network managers need to manage a variety ofheterogeneous SDN controllers at the same time. In this case, the same se-

2

curity policy often needs to be developed and deployed for different types ofcontrollers, which inevitably increases the complexity and difficulty of net-work management. Therefore, in the face of the increasingly complex andhuge SDN networks, we urgently need a novel security policy managementmechanism which can be completely transparent to any underlying informa-tion of network. That is it can permit network managers to define upper-levelsecurity policies without containing any underlying information of network,and by means of model transformation system, these upper-level securitypolicies can be transformed into their corresponding lower-level policies con-taining underlying information automatically. Moreover, it should ensureSDN system model updated by the generated lower-level policies can holdall of security properties defined in upper-level policies.

. Based on these insights, we propose a security policy model transformationand verification approach for SDN in this paper. The main idea of theapproach is to specify the current security policies used in SDN, such as accesscontrol policies or firewall policies, as a unified security policy model (SPM).SPM is of an upper-level policy model without containing any underlyinginformation of SDN. Then, we establish SDN system model and use SDNsystem model to establish the mapping rules between the objects of SPMand the objects of SDN system models, and then use these mapping rulesto automatically convert the SPM models into their corresponding lower-level policy models containing underlying information of SDN, i.e., flow tablemodel (FTM). To be practically useful, we must prove that SDN systemmodel updated by the generated FTM can ensure all of security propertiesdefined in SPM after model transformation. Thus, we design a verificationalgorithm, which validates the SDN system model updated by FTM by meansof the security properties defined in SPM, i.e., validation conditions. If allof given validation conditions are proofed to be true after verification, itproves that the updated SDN system model can hold all of security propertiesdefined in SPM, otherwise it cannot satisfy the security requirements. Hence,the main contributions of this paper can be concluded as follows:

. • We establish the system model of SDN in this paper, which includesterminal model (TM), OpenFlow switch model (SWM), flow table model(FTM), network flow model (NFM) and network topology model (NTM).

. • Since most of security policies used in SDN can be described as theproblem whether the policy subject (user, service or terminal, etc.) can

3

access or use the policy object (resource, service, data or terminal, etc.), thuswe specify these security policies as a unified security policy model (SPM) inthis paper.

. • Based on the established SDN system model, we further establish themapping rules between the objects of SPM and the objects of SDN systemmodels. Then, based on these mapping rules, we propose a model transfor-mation system which can automatically transform SPM model without con-taining any underlying information of network into its corresponding lower-level policy model containing underlying information, i.e., flow table model(FTM).

. • In order to prove SDN system model updated by the generated FTM canhold all of security properties defined in SPM after model transformation, wedesign a security policy verification system based on model checking. Theverification algorithm of system validates the SDN system model updated bygenerated FTM by means of the security properties defined in SPM, i.e., vali-dation conditions. If all of given validation conditions are true, it proves thatthe updated SDN system model can hold all of security properties defined inSPM, otherwise it cannot satisfy the security requirements.

. • Finally, we utilize a comprehensive case to illustrate the feasibility ofthe proposed approach. We first establish SDN system model and SPMof this case, then transform SPM into its corresponding FTM using modeltransformation algorithm, and verify the generated FTM can hold all ofsecurity properties defined in SPM after model transformation using securitypolicy verification algorithm.

. The remainder of the paper is structured as follows. Section 2 discuss somerelated works. Section 3 is the main body of this paper, which includes theframework of the proposed approach, SDN system model, security policymodel, model transformation system and security policy verification systemusing model checking. In section 4, we utilize a comprehensive case to illus-trate the feasibility of approach. Finally, Section 5 concludes this paper andpresents some future directions.

2. Related Work

. In this section, we discuss some research works related with policy modeltransformation and security policy verification, and compare these works

4

with our approach comprehensively.

2.1. Policy Model Transformation

According to the definitions of model driven architecture (MDA), modeltransformation refers to the process of transforming the platform indepen-dent model (PIM) to its corresponding platform specific model (PSM) [7]. Interms of the literatures we have reviewed, researches on policy model trans-formation may be roughly divided into three categories, they are template-based transformation, RBAC-based transformation, as well as system model& mapping rules-based transformation [8]. Due to the limitations of the tem-plate, template-based transformation [9] has only very limited policy trans-formation ability. RBAC-based transformation [10] is generally only suitablefor RBAC (role-based access control) policy transformation, and does nothave ample abilities to describe the underlying system, thus these two kindof methods are not suitable for SDN.

. System model & mapping rules-based transformation is an active researchissue now. Its main research contents include: (1) system model : definesthe objects of system and the relationship between system objects; (2) policymodel : defines the policy object and the relationship between policy objects;(3) upper and lower level mapping rules : establish the mapping rules betweenthe upper-level policy objects and lower-level system objects by means of thesystem model [11][12]. Based on the system model & mapping rules, pol-icy model transformation first establish the underlying system model, thenestablish the mapping rules between the upper-level policy objects and thelower-level system objects based on the system model, and then convertthe upper-level policy model to the lower-level policy model according tothese mapping rules. In particular, Davy et al [13] proposed a policy modeltransformation approach based on mapping rules, in which the policy modelis defined as a tuple 〈 event(E), condition(c), behavior(a), subject(s), ob-ject(T) 〉 and ontology is used to establish the mapping relationship amongthe different system layers. Luck et al [14] proposed a method to transformRBAC model defined in service layer into the policy model used in systemlayer. In this method, the system model is divided into three layers: roles &object (RO), subject & resources (SR) and processes & hosts (PH), and themapping rules between the three layers have been constructed. Based on theLuck’s research, Porto et al. [15] further decomposes the PH layer into twosub layers, namely DAS (diagram abstract subsystem) layer and PH layer.

5

DAS layer is mainly used to describe the network topology in the original PHlayer, while PH layer is used to describe the specific network information inDAS layer. In addition, the authors also proposed a policy verification frame-work, which can be used to verify the consistency problems in the process ofpolicy transformation. In addition, Lampson et al [16] proposed a networkpolicy model transformation approach for distributed computing environ-ment. Maullo et al [17] proposed a policy transformation system based onthe first-order predicate logic, which transforms the high-level policy modelinto the low-level network configuration policy through network topology andother information. Nanxing et al [18] proposed a SDN-oriented access controlpolicy transformation framework. In this paper, we also propose a securitypolicy model transformation based on system model & mapping rules. Wefirst establish the SDN system model, then further establish the mappingrules between the objects of security policy model and the objects of systemmodel. Next, we propose a model transformation algorithm based on thesemapping rules.

2.2. Security Policy Verification

. To assure the information system running securely, security mechanismsof information system have to be validated to check if they conform to thesecurity policies. Traditional test and simulation based validations can onlyconfirm the system work properly in situations described in the scenarios,but they are difficult to identify hidden flaws that are not likely to occurprobabilistically. While formal verification methods have been applied toovercome the traditional methods shortcoming mentioned above. Two com-mon formal methods for security policy verification are theorem proving andmodel checking [19]. Theorem proving is unsuitable to validate the complexsystems properties due to its lower efficiency. Model checking [20] can beused to validate the system whether it conforms to the property expectedby modeling the systems dynamic behaviors and static properties. Modelchecking has been widely used in the fields of protocol analysis, hardwaredesign and other situations.

. Security policy is the core of the protection mechanism in information sys-tems. Many researches on security policy verification have been proposed.For instances, Al-Shaer et al.[21] proposed a static policy inconsistency de-tection method for firewall policies. Bandara et al.[22] proposed a Event

6

calculus (EC) based framework for security policy verification. They trans-late policy and system behavior specification to a formal notation basedon event calculus and then used reasoning techniques for conflict identifica-tion. May et al.[23] verified privacy policies with an asynchronous modelchecker. Rubio-Loyola et al.[24] proposed a goal-oriented policy refinementmethod by means of a model checking technique with linear temporal Logic(LTL). Graham et al.[25] proposed an incremental method to validate pol-icy based systems through direct conflict detection with extended decisiontable. Baliosan and Serrat [26] developed a specific finite automaton basedapproach for policy conflict detection. In this paper, we also propose a se-curity policy verification system using model checking. We first specify thesecurity properties defined in security policy model as a group of validationconditions, then input validation conditions and SDN system model into theverification algorithm for checking security properties.

3. Security Policy Model Transformation and Verification Approach

. We propose a security policy model transformation and verification ap-proach for software defined networking in this paper. In the following of thissection, we first present the framework of approach. Then, we establish SDNsystem model and present the proposed security policy model (SPM). Next,based on the established SDN system model, we present how to transformSPM model into its corresponding FTM model using mapping rules. Afterthat, we present how to verify the generated FTM can hold all of securityproperties defined in SPM by means of model checking algorithm.

3.1. Framework of Approach

. We depict the framework of entire approach as Figure 1, which includessecurity policy model (SPM), model transformation system, security policyverification system and SDN system model. Firstly, we specify the securitypolicies (such as access control policies or firewall policies) used in SDN asa unified SPM. Then, we establish SDN system model. Based on SDN sys-tem model, we further establish the mapping rules between the objects ofSPM and the objects of SDN system model, and then utilize these mappingrules to automatically convert SPM model into its corresponding underlyingnetwork configuration policies, i.e., flow table model (FTM). To be practi-cally useful, we must prove that SDN system updated by the generated FTM

7

can ensure all of security properties defined in SPM after model transforma-tion. Thus, we design a security policy verification system based on modelchecking technique. Before verification, we first update SDN system modelusing the generated FTM, and the updated SDN system model is denoted asRSDN . Then, we specify the security properties defined in SPM as a groupof specific validation conditions { V Ci }, then we input RSDN and { V Ci }into security policy verification system and execute model checking. If all ofgiven validation conditions { V Ci } are proofed to be true after verification,it proves that the updated SDN system model can hold all of security prop-erties defined in SPM. Otherwise, it cannot satisfy the security requirementsof SPM. In this case, we will redesign our model transformation system untilit can meet all of requirements.

Figure 1: The framework of approach.

4. Conclusion

. In order to implement transforming the upper-level security policies with-out containing any underlying information of SDN into their correspondinglower-level policies containing underlying information automatically, we pro-pose a security policy model transformation and verification approach forSDN in this paper. We first establish SDN system model, which includesterminal model (TM), OpenFlow switch model (SWM), flow table model

8

(FTM), network flow model (NFM) and network topology model (NTM).Since most of security policies used in SDN can be described as the prob-lem whether the policy subject (user, service or terminal, etc.) can accessor use the policy object (resource, service, data or terminal, etc.), thus wespecify these security policies as a unified SPM in this paper. Based onthe established SDN system model and mapping rules, we propose a modeltransformation system which can automatically transform SPM model intoits corresponding lower-level policy model, i.e., FTM. In order to prove SDNsystem model updated by the generated FTM can ensure all of security prop-erties defined in SPM after model transformation, we design a security policyverification system based on model checking. The verification algorithm val-idates the SDN system model updated by the generated FTM by means ofa group of validation conditions. If all of validation conditions are true, itproves that the updated SDN system model can hold all of security proper-ties defined in SPM, otherwise it cannot satisfy the security requirements.Finally, we utilize a comprehensive case to illustrate the feasibility of theproposed approach.

. At present, the route selection algorithm α adopted by model transforma-tion system is set as the simplest Dijkstra shortest path search algorithm.But when α is set as some more complex algorithms, such as linear pro-gramming, load balancing or quality of services (QoS) aware and etc., theproposed model transformation system needs to be further verified and eval-uated. Hence, to further expand our model transformation system will be aninteresting direction for our ongoing works.

Acknowledgments

. This paper has been sponsored and supported by National Natural ScienceFoundation of China (Grant No.61772270), partially supported by NationalNatural Science Foundation of China (Grant No.61602262).

References

References

[1] N. Mckeown, T. Anderson, H. Balakrishnan, G. M. Parulkar, J. S.Turner, Openflow: Enabling innovation in campus networks, Acm Sig-comm Computer Communication Review 38 (2) (2008) 69–74.

9

[2] J. M. J. Garay, A. Mendiola, N. Toledo, E. Jacob, Flownac: Flow-basednetwork access control, in: Third European Workshop on Software-defined Networks, 2014.

[3] S. T. Yakasai, C. G. Guy, Flowidentity: Software-defined network accesscontrol, in: IEEE Conference on Network Function Virtualization andSoftware-defined Networks, 2015.

[4] H. Hu, W. Han, G. J. Ahn, Z. Zhao, Flowguard: Building robust fire-walls for software-defined networks, in: Acm Sigcomm Workshop on HotTopics in Software Defined Networking, 2014.

[5] M. Koerner, O. Kao, Mac based dynamic vlan tagging with openflow forwlan access networks, Procedia Computer Science 94 (2016) 497–501.

[6] K. Phemius, M. Bouet, J. Leguay, Disco: Distributed sdn controllers ina multi-domain environment, in: Noms IEEE/IFIP Network Operationsand Management Symposium, 2014.

[7] A. Kleppe, J. Warmer, W. Bast, MDA Explained, Addison-Wesley Pro-fessional, 2004.

[8] J. P. D. Albuquerque, H. Krumm, P. L. D. Geus, Formal validationof automated policy refinement in the management of network securitysystems, International Journal of Information Security 9 (2) (2010) 99–125.

[9] M. C. Mont, A. Baldwin, C. Goh., Power prototype: Towards integratedpolicy-based management, in: Network Operations and ManagementSymposium, 2000. NOMS 2000. 2000 IEEE/IFIP, 2000.

[10] J. K, Automatic error finding in access control policies, in: CCS2011,2011.

[11] C. Wang, G. Wang, A. Chen, H. Wang, S. Uczekaj, A policy-basedapproach for qos specification and enforcement in distributed service-oriented architecture, in: IEEE International Conference on ServicesComputing, 2005.

[12] C. A. Kamienski, R. Dantas, E. Azevedo, C. Dias, B. Ohlman, Unleash-ing the power of policies for service-oriented computing, in: Interna-tional Conference on Network and Service Management, 2011.

10

[13] S. Davy, B. Jennings, Harnessing models for policy conflict analysis, in:AIMS2007, 2007.

[14] I. Luck, C. Schfer, H. Krumm, Model-based tool-assistance for packet-filter design, in: Policies for Distributed Systems and Networks, Inter-national Workshop, POLICY 2001 Bristol, UK, January 29-31, 2001,Proceedings, 2001.

[15] J. P. D. Albuquerque, H. Krumm, P. L. D. Geus, Policy modeling andrefinement for network security systems., in: IEEE International Work-shop on Policies for Distributed Systems and Networks, 2005.

[16] B. Lampson, M. Abadi, M. Burrows, Authentication in distributed sys-tems: theory and practice, Acm Transactions on Computer Systems.

[17] M. Abadi, M. Burrows, B. Lampson, G. Plotkin, A calculus for accesscontrol in distributed systems, in: International Cryptology Conference,1991.

[18] N. Kang, J. Reich, J. Rexford, D. Walker, Policy transformation insoftware defined networks, Acm Sigcomm Computer CommunicationReview 42 (4) (2012) 309.

[19] J. Ma, D. Zhang, G. Xu, Y. Yang, Model checking based security policyverification and validation, in: International Workshop on IntelligentSystems and Applications, 2010.

[20] E. M. Clarke, O. Grumberg, D. Peled, Model checking, Springer BerlinHeidelberg, 1997.

[21] E. S. AlShaer, H. H. Hamed, Firewall policy advisor for anomaly dis-covery and rule editing, in: Proc. of IM, 2003, pp. 17–30.

[22] A. Bandara, E. Lupu, A. Russo, Using event calculus to formalise ppol-icy specification and analysis, in: International workshop on policies fordistributed systems and networks, 2003, pp. 26–39.

[23] M. J. May, C. A. Gunter, I. Lee, Privacy apis: Access control techniquesto analyze and verify legal privacy policies, in: IEEE Computer SecurityFoundations Workshop, 2006, pp. 85–97.

11

[24] J. Rubio-Loyola, J. Serrat, M. Charalambides, P. Flegkas, A. Lluch-Lafuente, Using linear temporal model checking for goal-oriented policyrefinement frameworks, in: 6th IEEE International Workshop on Policiesfor Distributed Systems and Networks (POLICY 2005), 6-8 June 2005,Stockholm, Sweden, 2005.

[25] A. Graham, T. Radhakrishnan, C. Grossner, Incremental Validation ofPolicy-Based Systems, 2004.

[26] J. Baliosian, J. Serrat, Finite state transducers for policy evaluationand conflict resolution, in: IEEE International Workshop on Policies forDistributed Systems and Networks, 2004, pp. 250–259.

12