CS261 Final Project: Sketching Secure Configurations for Trusted Security Components
Armando Solar-Lezama <asolar> and Shoaib Kamil <skamil>
Problem Statement
We are trying to find a solution for the problem of configuring trusted security
components. A firewall is one such example of such a component: although firewalls
are critical in defending a network, they are useless unless configured correctly.
We have seen that such configurations are tricky; they must allow all desired
behaviors while preventing entire classes of attacks.
Key Challenges and Proposed Solution
We propose to construct a solution based on
sketching, a program synthesis technique
based on combinatorial search. In sketching, the programmer writes a specification
along with an incomplete implementation (a program with holes), and the synthesizer
completes the sketch by searching trhough all possible completions of the holes until
it finds one that satisfies the specification for all possible inputs.
For our project, we will take one of these configurable trusted security components
(such as a firewall) and encode the functionality and security requirements in a
specification. We will then use the sketch synthesis engine to search for configurations
that meet all the functionality and security requirements. The sketch solver is
particularly well suited for this because it can search for configurations that protect
against all possible behaviors of an attacker under a given threat model, while guaranteeing
our desired functionality.
The challenge will be to adapt the sketching system from its current implementation which
deals with C-like programs to work with a trusted security component. The solver will
remain the same, but front-end functionality will be required to transform security and
functionality requirements into a parsable language that the sketching system can understand
and manipulate.
Timeline
By End Oct | Determine target platform/program.
1st-2nd Week Nov | Language creation, transformation rules, etc
By 1st Week Dec | Integration of combinatorial solver, sketching system should be able to generate correct config files