research-article

Specifying and Verifying SDP Protocol Based Zero Trust Architecture Using TLA+

Authors:

Luming Dong,

Zhi Niu,

Yong Zhu,

Wei ZhangAuthors Info & Claims

ICCSIE '22: Proceedings of the 7th International Conference on Cyber Security and Information Engineering

Pages 35 - 43

https://doi.org/10.1145/3558819.3558826

Published: 26 October 2022 Publication History

Get Access

Abstract

Software Defined Perimeter (SDP) is a prevalent security framework designed by Cloud Security Alliance (CSA) for Zero Trust Network Access (ZTNA) which aims to prevent novel threats in cloud environment. But there are few studies on the verification of correctness and security properties of SDP architecture through rigorous mathematical methods, thus we utilize formal methods to study its correctness and security. This paper aims to specify and verify the security and correctness properties of SDP framework using TLA+. First, an extensible formal model for SDP protocols with verification framework is built according to CSA's specification and the specific implementation of the popular open-source project called fwknop. This model not only specifies the behaviors of standard access control entities defined by SDP protocols but also includes the specification of cyber attack behaviors launched by hackers aiming at system security and correctness. Then this model is implemented using a formal specification language called TLA+ and relevant security and correctness properties are verified via the model checking tool called TLC. The verification results show that current SDP protocol framework has a security flaw in the scenario of remote access through NAT technology. To fix this problem, we further propose an improved scheme for SDP framework and update the TLA+ model accordingly for re-check. The final experimental results prove that the improved scheme can mitigate the risk of the vulnerability efficiently.

References

[1]

Scott Rose, Oliver Borchert, Stu Mitchell, Sean Connelly. NIST Special Publication 800-207: Zero Trust Architecture: 9-12. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Google Scholar

[2]

Cloud Security Alliance (CSA). Software-Defined Perimeter (SDP) Specification 1. 0. https://cloudsecurityalliance.org/artifacts/sdp-specification-v10/

Google Scholar

[3]

Rory Ward, Betsy Beyer. BeyondCorp: A New Approach to Enterprise Security. The magazine of USENIX & SAGE, ISSN 1044-6397, Vol. 39, No. 6, 2014 (Issue dedicated to: Security ), pages 6-11. https://research.google/pubs/pub43231/

Google Scholar

[4]

fwknop: Single Packet Authorization >Port Knocking. https://www.cipherdyne.org/fwknop/

Google Scholar

[5]

Moubayed, A. Refaey and A. Shami: Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks. In IEEE Network, vol. 33, no. 5, pp. 226-233, Sept. Oct. 2019

Digital Library

Google Scholar

[6]

J. Singh, A. Refaey and J. Koilpillai. : Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service. In Canadian Journal of Electrical and Computer Engineering, vol. 43, no. 4, pp. 357-363, Fall 2020

Crossref

Google Scholar

[7]

M. Lefebvre, S. Nair, D. W. Engels and D. Horne. : Building a Software Defined Perimeter (SDP) for Network Introspection. 2021 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), 2021, pp. 9195

Crossref

Google Scholar

[8]

Sallam, A. Refaey and A. Shami.: On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter. In IEEE Access, vol. 7, pp. 146577-146587, 2019

Crossref

Google Scholar

[9]

Ali, M. A. Gregory and S. Li.: Uplifting Healthcare Cyber Resilience with a Multi-access Edge Computing Zero-Trust Security Model. 2021 31st International Telecommunication Networks and Applications Conference (ITNAC), 2021, pp. 192-197

Google Scholar

[10]

M. Karimi and P. Krishnamurthy.: Software Defined Ambit of Data Integrity for the Internet of Things. 2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid), 2021

Crossref

Google Scholar

[11]

Lamport L. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Boston: Addison-Wesley Longman Publishing Co., Inc., 2002

Digital Library

Google Scholar

[12]

Lamport L. Current Versions of the TLA+ Tools, 5 August 2021. https://lamport.azurewebsites.net/tla/current-tools.pdf.

Google Scholar

[13]

Duc Minh Le, Duc-Hanh Dang and VietHa Nguyen.: Domain driven design using meta-attributes: A DSL-based approach. 2016 Eighth International Conference on Knowledge and Systems Engineering (KSE), 2016, pp. 67-72.

Google Scholar

[14]

TLA+ Spec of SDP architecture and algorithm written by Dong Luming. https://github.com/10227694/SDP_Verification.

Crossref

Google Scholar

Cited By

View all

Joshi H(2025)Emerging Technologies Driving Zero Trust Maturity Across IndustriesIEEE Open Journal of the Computer Society10.1109/OJCS.2024.35050566(25-36)Online publication date: 2025
https://doi.org/10.1109/OJCS.2024.3505056
Manzano CMárquez GAstudillo H(2024)Quality Attributes for Zero Trust Architecture-Based Systems2024 43rd International Conference of the Chilean Computer Science Society (SCCC)10.1109/SCCC63879.2024.10767657(1-11)Online publication date: 28-Oct-2024
https://doi.org/10.1109/SCCC63879.2024.10767657
Manzano CMárquez GAstudillo H(2024)Security Mechanisms Used in Systems Based on Zero Trust Architecture: A Systematic Mapping2024 L Latin American Computer Conference (CLEI)10.1109/CLEI64178.2024.10700484(1-10)Online publication date: 12-Aug-2024
https://doi.org/10.1109/CLEI64178.2024.10700484

Index Terms

Specifying and Verifying SDP Protocol Based Zero Trust Architecture Using TLA+

Index terms have been assigned to the content through auto-classification.

Recommendations

Specifying and verifying PLC systems with TLA+: A case study

We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Specifying and Verifying PLC Systems with TLA+
TASE '09: Proceedings of the 2009 Third IEEE International Symposium on Theoretical Aspects of Software Engineering

We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA+. Our specification is generic in that it separates the description of the environment from that of the controller itself ...
Checking Cache-Coherence Protocols with TLA⁺

We have a great deal of experience using the specification language TLA⁺ and its model checker TLC to analyze protocols designed at Digital and Compaq (both now part of HP). The tools and techniques we have developed apply equally well to software and ...

Comments

Information & Contributors

Information

Published In

ICCSIE '22: Proceedings of the 7th International Conference on Cyber Security and Information Engineering

September 2022

1094 pages

ISBN:9781450397414

DOI:10.1145/3558819

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCSIE2022

ICCSIE2022: 7th International Conference on Cyber Security and Information Engineering

September 23 - 25, 2022

QLD, Brisbane, Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
120
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)4

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Joshi H(2025)Emerging Technologies Driving Zero Trust Maturity Across IndustriesIEEE Open Journal of the Computer Society10.1109/OJCS.2024.35050566(25-36)Online publication date: 2025
https://doi.org/10.1109/OJCS.2024.3505056
Manzano CMárquez GAstudillo H(2024)Quality Attributes for Zero Trust Architecture-Based Systems2024 43rd International Conference of the Chilean Computer Science Society (SCCC)10.1109/SCCC63879.2024.10767657(1-11)Online publication date: 28-Oct-2024
https://doi.org/10.1109/SCCC63879.2024.10767657
Manzano CMárquez GAstudillo H(2024)Security Mechanisms Used in Systems Based on Zero Trust Architecture: A Systematic Mapping2024 L Latin American Computer Conference (CLEI)10.1109/CLEI64178.2024.10700484(1-10)Online publication date: 12-Aug-2024
https://doi.org/10.1109/CLEI64178.2024.10700484

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Abstract

References

Cited By

Index Terms

Recommendations

Specifying and verifying PLC systems with TLA+: A case study

Specifying and Verifying PLC Systems with TLA+

Checking Cache-Coherence Protocols with TLA+

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

HTML Format

Share

Share this Publication link

Share on social media

Affiliations

Checking Cache-Coherence Protocols with TLA⁺