Networked systems are used in a large number of settings, including several critical infrastructure systems, such as chemical plants; electric power generation; transmission and distribution; water distribution networks; waste water treatment; and enterprise networks, used in many mission-critical business settings. The emerging scenarios and the likely trends for the future of critical networked systems demand that the problem of securing these systems receive immediate attention, especially in the context of controlling access to the critical elements of the system over the communication networks. Given the mission-critical nature of a significant number of large networked information systems, it is important to ensure their protection against cyber-attacks, which, in a worst-case scenario, could result in loss of life, or in massive financial losses through loss of data, actual physical destruction, misuse, or theft.
A modern networked system includes a variety of devices and mechanisms to control access to its resources. These access control mechanisms include, but are not limited to: (1) router-based dedicated firewalls, such as the Cisco PIX series; (2) host-based firewalls, which could be based in software (such as iptables in Linux®, the inbuilt firewall in Windows XP® or Vista®, and popular products from Symantec® and McAfee® for Windows®) or hardware (such as 3Com's Embedded Firewall NICs); (3) operating-system-based mechanisms, such as discretionary access control in Linux® or Windows®, or more sophisticated mechanisms such as the mandatory access control in NSA's SELinux and similar functionality provided for Windows® by the Cisco® Security Agent; and (4) middleware-based mechanisms, such as the Java® Security Manager, that provide for specification and enforcement of fine-granularity access control policies for Java programs.
All these distributed and layered mechanisms can interact in complex ways that can lead to subtle errors and mask problems. It can be difficult to discern the global picture that emerges from the local configurations of these myriad access control elements. As a result, it is not surprising that misconfigurations of these mechanisms are a major source of security vulnerabilities. In fact, a recent study suggests that most firewalls (the most popular access control mechanism) suffer from misconfigurations. It is important for the administrators of computer networks to have ways to make sure that high-level specifications of such system access constraints are reflected in the actual configurations of the access control mechanisms spread throughout the system. Furthermore, if the implementation of policy (device configurations) is not in compliance with the specification, a diagnosis to locate the root causes of the problem would be useful.