Demonstrating topoS: Theorem-Prover-Based Synthesis of Secure Network Configurations

In network management, when it comes to security breaches, human error constitutes a dominant factor. We present our tool topoS which automatically synthesizes low-level network configurations from high-level security goals. The automation and a feedback loop help to prevent human errors. Except for a last serialization step, topoS is formally verified with Isabelle/HOL, which prevents implementation errors. In a case study, we demonstrate topoS by example. For the first time, the complete transition from high-level security goals to both firewall and SDN configurations is presented.

💡 Research Summary

The paper addresses the long‑standing problem of human error in configuring network security devices by introducing topoS, a tool that automatically synthesizes low‑level network configurations (firewall rules, SDN flow entries) from high‑level security goals. topoS operates as a four‑step pipeline: (A) formalize security goals as “invariants”, (B) construct a global access‑control policy, (C) extend the policy with stateful information, and (D) serialize the result into device‑specific configurations.

Invariants are abstract security specifications such as Bell‑LaPadula, ACLs, sinks, and domain hierarchies. They are instantiated with scenario‑specific host attributes (e.g., internal, DMZ, confidential, trusted). The tool provides an auto‑completion mechanism that safely fills missing attributes, guaranteeing that no hidden security violations are introduced as long as enough information is supplied. A crucial design choice is the use of Φ‑structured invariants, whose predicates depend only on sender, receiver, and their attributes. This restriction yields two important properties: (1) the transformation algorithms run in linear time, and (2) a unique maximum‑permissive policy exists for a given set of invariants.

The policy construction starts from an allow‑all matrix and iteratively removes rules that would violate any invariant. The authors prove (Theorem 1) that this removal process is sound and complete for Φ‑structured invariants, and that the resulting policy is the most permissive one that still satisfies all security goals. Manual refinements (e.g., removing unnecessary web‑frontend‑to‑Internet traffic) are allowed; after each change the invariants are re‑verified automatically.

Stateful policy generation distinguishes between purely unidirectional flows (e.g., UDP‑based syslog to a log server) and flows that should allow responses (e.g., HTTP traffic). Two consistency criteria are enforced: (i) no information‑flow violation, and (ii) no unintended side‑effects on access control. The authors present an efficient algorithm (Theorem 2) that upgrades a set of rules to stateful ones while preserving these criteria, again exploiting the Φ‑structured nature of the invariants.

Serialization translates the verified stateful policy into concrete device configurations. The paper discusses three assumptions that must hold: (1) structural integrity – the enforced connectivity must exactly match the policy, (2) authenticity – entities must be correctly bound to their network identifiers (IP/MAC), and (3) state handling – the device’s stateful processing must reflect the policy’s semantics. Two deployment scenarios are demonstrated: (a) a central OpenVPN server that authenticates hosts via X.509 certificates and applies iptables rules derived from the policy, and (b) a pure SDN environment where OpenFlow rules are generated from a template that safely handles ARP, prevents MAC/IP spoofing, and implements both stateless and stateful flows. The OpenFlow example shows how a rule set can be installed without a separate controller, though the authors note a minor hidden timing channel that can be eliminated with a more sophisticated controller.

The case study—a small web application consisting of an Internet‑facing front end, a backend, a database, and a log server—illustrates the entire workflow. The authors provide the full set of invariants, the intermediate policy graphs, the stateful policy, and the final iptables/OpenFlow configurations.

Limitations are acknowledged: the final serialization step is not formally verified, and the correctness of the initial invariant specification depends on the administrator’s input. If a confidential data source is omitted, the auto‑completion cannot prevent leakage. Nevertheless, the tool’s visual feedback and automatic re‑verification mitigate many of these risks.

Overall, topoS represents a novel integration of formal methods (Isabelle/HOL proofs) with practical network management, delivering a provably correct, end‑to‑end synthesis from abstract security objectives to concrete device configurations, and thereby substantially reducing the likelihood of human‑induced security misconfigurations.