A satisfying solution is not guaranteed to exist. Conflicts between the need for network usability and the desire for network security may eliminate any possible solution. In this
event, the iterative UnSAT Core elimination technique can be employed for the identification and resolution of such conflicts.
Definition 11. An UnSAT core is a subset of the original CNF clauses that is, in itself, unsatisfiable [13].
When a SAT solver finds a set of clauses to be unsatisfiable, a byproduct of this decision is the UnSAT core, a subset of clauses that is unsatisfiable. Logically, given an unsatisfiable Boolean formula C, the UnSAT core µ = µ1, µ2, . . . , µm ⊆ C where µ is itself unsatisfiable.
In other words, C will remain unsatisfiable so long as µ remains unchanged. For the purposes of testing, I have made use of the zChaff SAT solver [25], generating the UnSAT core using the zChaff zcore function.
Iterative UnSAT core elimination will be applied only when no satisfying solution can be found. C typically becomes unsatisfiable when one aspect of the overall system policy (us- ability) demands that a certain variable be true while another aspect (security) necessitates that the same variable be false. This approach recognizes the conflict and seeks to restore an acceptable balance between security and usability; when one or more satisfying solutions exists, the MinCostSAT technique (Section4.4) can be applied to discover a “best” solution. The UnSAT core µ = Ru∧ Su∧ Uu, where Ru ⊆ R, Su ⊆ S, and Uu ⊆ U . Each UnSAT
core, then, will have some subset of derivation clauses based on the MulVAL logic rules as well as the security and usability policies specified by the user. Together, these subsets comprise an unsatisfiable instance.
For example, let C = R ∧ S ∧ U , where:
R = e1∧ e2∧ e3∧ e4∧ e5∧ e6∧ c1∧ c4
S = ¬p2∧ ¬p5
U = c2∧ c3
In this example, an UnSAT core would be identified as µ = (e1∧e2∧c1∧c4)∧(¬p2)∧(c2∧
c3). The security policy dictates that the attacker will not be able to gain code-execution
accessible from the Internet and that the httpd service be maintained on the web server. Based on the logical implications in R, together with the upholding of c1 and c4, it is easily
seen that these configuration settings (c1, c2, c3, c4) are precisely the settings that can enable
an attacker to obtain privileges on the web server; this is the conflict identified in µ. Obviously, the user cannot change the logical foundations of the MulVAl derivation rules (e1, e2) or capriciously eliminate the threat of an attacker (c1) or a vulnerability for which
a patch does not exist (c4), so the UnSAT core µ cannot be resolved by altering any of
Ru. To make the necessary reconfiguration decision, this approach will request from the
user an immediate decision of the relative importance among the elements of Su = ¬p2 and
Uu = c2∧ c3.
The user would be prompted to judge the relative importance of the conflicting policies; the less important policy element would be “relaxed” (removed from C) so that its value is no longer forced true or false. Relaxing (or allowing to falsify) a policy does not necessarily mean that all of the elements will be disabled; instead, only the configuration variables that conflict with the remaining elements will be disabled. The other policy variables will remain unchanged (forced true or false).
It is possible that multiple UnSAT cores exist in a single Boolean formula. In my approach, each UnSAT core is iteratively presented, prompting the user to decide for each core which policy constraint should be relaxed. In this way, a satisfiable configuration solution can eventually be reached.
So long as security and usability policies do not conflict, the user is not asked to decide the relative values of any two policies. These decisions are only faced when an actual conflict has arisen, so the human user makes only necessary choices about system resource valuations.
In utilizing this approach to enterprise network security management, the human user is not expected to fully comprehend the ramifications and effects, both positive and neg- ative, of all possible changes in network configuration, but only to make decisions on the
immediate relative values of specific instances of usability and security. In this way, we reduce an extremely complex problem to one of more manageable proportions, automating the enforcement of both security and usability policies while introducing a method by which conflicts can be quickly and verifiably resolved.
4.3.1
Decision Reduction through Appeal to a Partial Ordering
To further reduce the breadth of decisions faced by the human user, I will show that a partial ordering can be established to arbitrate the relative priorities between specific variables appearing in conflicting policies.
Definition 12. A partial order is a binary relationship ≤ over a set P which is reflexive, antisymmetric, and transitive.
We will employ a partial ordering (denoted by “≤”) over the set of variables contained in C. Thus, for any variables {a, b, c}, it is true that a ≤ a (reflexivity), if a ≤ b and b ≤ a then a = b (antisymmetry), and if a ≤ b and b ≤ c then a ≤ c (transitivity). This relationship reflects the relative significance between two variables.
Each time the human user is presented with the causes of an unsatisfiable conflict and selects one or more of those constraints to be relaxed, this decision is recorded as a partial ordering between the relaxed variable and each of the other variables in the original conflict. In ordering the formula variables, this technique assumes that the constraints that the user allows to be relaxed have a lower priority than any clauses that were not relaxed; this ordering is duly recorded. For some UnSAT core, let µ = x ∧ y ∧ z, and assume that the user, when prompted, elects to relax constraint x. Then x ≤ y and x ≤ z. It is important to note that an ordering is not established at this time between y and z; in this decision, no evidences have been provided for the relative prioritization between these variables.
In future decisions, then, in which two constraints appear for which an ordering is already known, the constraint with higher priority will not be offered to the user as a possibility for relaxation. Assume that at some future point, an UnSAT core is identified, where
µ = v ∧ x ∧ y. The ordering x ≤ y is already known, based on a previous decision, so before the user is presented with a decision, constraint x is first relaxed. If the formula remains unsatisfiable, then the user is presented only with the decision v ∨ y. In this way, conflicts are reduced to comparisons between configuration settings or policy requirements for which relative priorities are not known. Over time, the size and number of decisions required by the human user will decrease as more conflicts can be resolved based on the knowledge of past decisions. There may also be some opportunity for the application of a learning algorithm to this problem, so that conflicts can be resolved without human intervention on the basis of similarity to past ordering decisions, even when the conflicting variables have not been definitely ordered.