Applying static code analysis to firewall policies for the purpose of anomaly detection

Treating modern firewall policy languages as imperative, special purpose programming languages, in this article we will try to apply static code analysis techniques for the purpose of anomaly detection. We will first abstract a policy in common firewall policy language into an intermediate language, and then we will try to apply anomaly detection algorithms to it. The contributions made by this work are: 1. An analysis of various control flow instructions in popular firewall policy languages 2. Introduction of an intermediate firewall policy language, with emphasis on control flow constructs. 3. Application of \textit{Static Code Analysis} to detect anomalies in firewall policy, expressed in intermediate firewall policy language. 4. Sample implementation of \textit{Static Code Analysis} of firewall policies, expressed in our abstract language using Datalog language.

💡 Research Summary

The paper presents a novel framework that treats firewall policies as imperative, domain‑specific programming languages and applies static code analysis techniques to automatically detect anomalies such as rule shadowing, unreachable code, and dead or uninitialized variables. The authors begin by surveying the control‑flow constructs used in four widely deployed firewall platforms—Netfilter, PF, IPFW, and IPFilter. They identify a set of primitive actions (ACCEPT, DROP, LOG, etc.) and control‑flow directives (JUMP, CALL, RETURN, SET, QUICK) and illustrate how each platform’s rule syntax maps onto a generic control‑flow graph (CFG).

To enable a uniform analysis across heterogeneous platforms, the authors introduce an Intermediate Rule Language (IRL). IRL captures filtering specifications (source/destination IP, ports, protocols), target specifications (actions and control‑flow targets), explicit labels, and mutable variables. The language’s abstract syntax is defined in a concise BNF, and concrete syntax examples demonstrate how real‑world firewall rules from each platform can be translated into IRL. This translation preserves the semantics of conditional branching, sub‑routine calls, early termination, and variable assignments, thereby exposing the full control‑flow structure of a policy.

The core of the analysis relies on two complementary static‑analysis techniques: (1) a Minimal Combining Set of Intervals (MCSI) algorithm that compresses address and port ranges into a minimal set of non‑overlapping intervals, and (2) classic data‑flow and control‑flow analyses expressed in Datalog. The MCSI algorithm sorts interval endpoints, scans to detect overlaps, and merges intersecting intervals, achieving O(n log n) complexity. By operating on the minimal interval set, subsequent analyses avoid redundant comparisons and can reason precisely about packet classification.

Using the IRL representation, the authors construct a CFG where each node corresponds to a labeled rule and edges represent possible control transfers (including jumps, calls, returns, and fall‑through). They then generate Datalog facts describing the CFG topology, variable definitions, and interval constraints. A set of Datalog rules implements:

• Reachability analysis – a fixed‑point computation that marks all nodes reachable from the entry label; unreachable nodes are reported as dead code.
• Live‑variable analysis – forward and backward propagation of variable use/definition information to identify variables that are defined but never used (dead stores) or used before being defined (uninitialized).
• Rule‑shadowing and redundancy detection – by comparing the minimal interval sets of overlapping rules, the system flags rules that are completely subsumed by earlier rules (shadowed) or that duplicate the effect of another rule (redundant).

The implementation consists of three modular components: a parser (built with ANTLR) that converts native firewall configurations into IRL, a data‑flow/CFG extractor that builds the graph and computes MCSI, and a static‑analysis engine that feeds the generated facts into the Soufflé Datalog engine. The authors provide sample Datalog programs for each analysis and discuss how the results are presented to the user.

The framework is evaluated on five realistic firewall policies drawn from the four platforms. For each case study the authors show the IRL translation, the resulting CFG, the computed minimal interval sets, and the anomalies detected (e.g., unreachable sub‑routines, variables set but never read, and rules that are never effective because a preceding rule always matches). Execution times are on the order of seconds, demonstrating scalability to policies with thousands of rules.

In the discussion, the authors argue that modeling firewall policies as programs unlocks a rich body of static‑analysis theory that was previously unavailable to the firewall community. The IRL serves as a lingua franca, enabling cross‑platform analysis and paving the way for future work such as automated policy optimization (removing dead rules), integration with higher‑level security policy languages, and extension to other network devices (IDS, VPN gateways). They also note limitations, including the need for precise semantics of platform‑specific extensions and the challenge of handling dynamic state (e.g., connection tracking) beyond the static scope.

Overall, the paper makes a substantial contribution by bridging the gap between firewall policy engineering and static program analysis, providing both a formal intermediate representation and a practical Datalog‑based toolchain that can automatically uncover subtle configuration errors that are hard to detect manually. This work has the potential to improve the reliability and security of network defenses across a wide range of deployment scenarios.