Biblio

Companies like Netflix increasingly use the cloud to deploy their business processes. Those processes often involve partnerships with other companies, and can be modeled as workflows where the owner of the data at risk interacts with contractors to realize a sequence of tasks on the data to be secured.In practice, access control is an essential building block to deploy these secured workflows. This component is generally managed by administrators using high-level policies meant to represent the requirements and restrictions put on the workflow. Handling access control with a high-level scheme comes with the benefit of separating the problem of specification, i.e. defining the desired behavior of the system, from the problem of implementation, i.e. enforcing this desired behavior. However, translating such high-level policies into a deployed implementation can be error-prone.Even though semi-automatic and automatic tools have been proposed to assist this translation, policy verification remains highly challenging in practice. In this paper, our aim is to define and propose structures assisting the checking and correction of potential errors introduced on the ground due to a faulty translation or corrupted deployments. In particular, we investigate structures with formal foundations able to naturally model policies. Metagraphs, a generalized graph theoretic structure, fulfill those requirements: their usage enables to compare high-level policies to their implementation. In practice, we consider Rego, a language used by companies like Netflix and Plex for their release process, as a valuable representative of most common policy languages. We propose a suite of tools transforming and checking policies as metagraphs, and use them in a global framework to show how policy verification can be achieved with such structures. Finally, we evaluate the performance of our verification method.

It is a challenge to select the most appropriate vantage points in a measurement platform with a wide selection. RIPE Atlas [2], for example currently has over 9600 active measurement vantage points, with selections based on AS, country, etc. A user is limited to how many vantage points they can use in a measurement. This is not only due to limitations the measurement platform imposes, but data from a large number of vantage points would produce a large volume to analyse and store. So it makes sense to optimize for a minimal set of vantage points with a maximum chance of observing the phenomenon in which the user is interested. Network operators often need to debug with only limited information about the problem ("Our network is slow for users in France!"). doing a minimal set of measurements that would allow testing through a wide diversity of networks could be a valuable add-on to the tools available to network operators. Given platforms with numerous vantage points, we have the luxury of testing a large set of end-customer outgoing paths. A diversity metric would allow selection of the most dissimilar vantage points, while exploring from as diverse angles as possible, even with a limited probing budget. If one finds an interesting network phenomenon, one could use the similarity metric to advantage by selecting the most similar vantage points to the one exhibiting the phenomenon, to validate the phenomenon from multiple vantage points. We propose a novel means of selecting vantage points, not based on categorical properties such as origin AS, or geographic location, but rather on topological (dis)similarity between vantage points. We describe a similarity metric across RIPE Atlas probes, and show how it performs better for the purpose of topology discovery than the default probe selection mechanism built into RIPE Atlas.