1It is common knowledge today that unrestricted access to the Internet is a security risk. Firewalls, i. e., active network elements that can filter network traffic, are a widely used tool for controlling the access to computers in a (sub)network and services implemented on them. In particular, firewalls filter (based on different criteria) undesired traffic, e. g., TCP/IP packets, out of the data-flow going to and from a (sub)network. Of course, their intended behavior, i. e., the firewall policy, varies from network to network according to the needs of its users. Therefore, firewalls can be configured to implement various security policies. Since configuring and maintaining firewalls is a highly error-prone task, the question arises how they can be tested systematically.Several approaches for the generation of test-cases are well-known: while unit-test oriented test generation methods essentially use preconditions and postconditions of system operation specifications, sequence-test oriented approaches essentially use temporal specifications or automata based specifications of system behavior. Usually, firewalls combine both aspects: whereas firewall policies are static, the underlying network protocols may depend on protocol states which some policies are aware of. This combination of complexity and criticality makes firewalls a challenging and rewarding target for security testing.This work was partially funded by BT Group plc. Firewalls are a cornerstone of todays security infrastructure for networks. Their configuration, implementing a firewall policy, is inherently complex, hard to understand, and difficult to validate. Model-Based Firewall Conformance TestingWe present a substantial case study performed with the model-based testing tool HOL-TestGen. Based on a formal model of firewalls and their policies in higher-order logic (HOL), we first present a derived theory for simplifying policies. We discuss different test plans for test specifications. Finally, we show how to integrate these issues to a domain-specific firewall testing tool HOL-TestGen/fw.
We present a generic modular policy modelling framework and instantiate it with a substantial case study for modelbased testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the National Health Service (NHS) in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features.We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationships. The model is given in Higher-order Logic (HOL) and processed together with suitable test specifications in the hol-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.
This is the peer reviewed version of the following article: Brucker . D., Brügger L., and Wolff B. (2014), Formal firewall conformance testing: an application of test and proof techniques, Softw. Test. Verif. Reliab., 25, 34-71,, which has been published in final form at http://dx.doi.org/10.1002/stvr.1544. This article may be used for non-commercial purposes in accordance with Wiley Terms and Conditions for Self-Archiving (http://olabout.wiley.com/WileyCDA/Section/id-820227.html#terms).eprints@whiterose.ac.uk https://eprints.whiterose.ac.uk/ Reuse Unless indicated otherwise, fulltext items are protected by copyright with all rights reserved. The copyright exception in section 29 of the Copyright, Designs and Patents Act 1988 allows the making of a single copy solely for the purpose of non-commercial research or private study within the limits of fair dealing. The publisher or other rights-holder may allow further reproduction and re-use of this version -refer to the White Rose Research Online record for this item. Where records identify the publisher as the copyright holder, users can verify any specific terms of use on the publisher's website. TakedownIf you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. SUMMARYFirewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf products, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case generation approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented.
Abstract-We present an optimization technique for modelbased generation of test cases for firewalls. Starting from a formal model for firewall policies in higher-order logic, we derive a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage. The correctness of the rules and the algorithm is established by formal proofs in Isabelle/HOL. Finally, we use the normalized policies to generate test cases with the domain-specific firewall testing toolThe resulting procedure is characterized by a gain in efficiency of two orders of magnitude. It can handle configurations with hundreds of rules such as frequently occur in practice.Our approach can be seen as an instance of a methodology to tame inherent state-space explosions in test case generation for security policies.
The BT Security Research Centre has defined and continues to develop a modelling language and method for representing and analysing ICT security requirements. The language is used to create a model that serves as a medium for communication between consultant and customer, a guide in making decisions, and the basis of a specification for implementing a solution. Three sub-models deal with business and technical requirements of the ICT system; threats, vulnerability and risks; and security measures and processes. The modelling process is iterative, with decisions being driven by optimisation of business value, trading off risk against cost. This paper focuses on aspects of the method dealing with assessment of risk and analysis of requirements for operational risk management. IntroductionThis paper describes aspects of on-going work within BT's Security Research Centre aimed at producing a modelling language and methodology to support the development and operation of secure systems. This work was introduced in a recent joint paper which described complementary security modelling projects at BT and HP Laboratories [1]. The earlier paper focused on the application of modelling techniques to achieving assurance, i.e. generating confidence (backed with evidence) that a system complies with regulatory and other requirements. It also gave a general motivation for modelling and an overview of both approaches. The current paper updates the overview of the BT method and goes into more detail about the modelling language, stressing aspects relevant to the modelling of risk, and the facilitation of operational risk management. A separate paper does likewise for the HP method [2].The paper begins with a general discussion of modelling in the context of security, before moving on to outline our view of risk -optimisation of security risk is an important driver in the modelling methodology. The three main submodels -the value model, security model and threat model -and the concepts used to construct them, are then introduced. The following sections outline the iterative process by which the models are constructed and refined, focusing on the risk analysis step. We then discuss the relevance of the methodology to operational risk management (ORM) and use of models in ORM tools such as future versions of the BT Risk Cockpit. A survey of related work on security and risk modelling is then provided. The paper concludes with a brief discussion of the current status and activities of the project. Modelling and securityMany engineering and scientific disciplines make use of models. A model is an abstract representation of a system or artefact. Inevitably, a model is an idealisation of, and approximation to, the real system it represents. Abstraction helps modellers focus on particular properties of the system of importance to their purpose. Furthermore, if the model is expressed within a formal framework, then analysis, or manipulation, of the model will make predictions about the real system. Confirmation and refutation of the correct...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2025 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
