Analysis of Computing Policies Using SAT Solvers

A computing policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request if and only if the decision of the first rule in P , that matches the request is “accept” (or “reject”, respectively). Examples of computing policies are firewalls, routing policies and software-defined networks in the Internet, and access control policies. It has been shown earlier that the problems of determining whether a given policy satisfies a property, such as adequacy, completeness, implication, equivalence, and redundancy, are all NP-hard. In this paper, we present efficient algorithms that use SAT solvers to determine whether any given policy satisfies a property. Experimental results show that our algorithms can determine whether a given policy with 90K rules satisfies the adequacy or completeness property in about 3 minutes. They also show that our algorithms can determine whether a given policy with 90K rules satisfies the implication, equivalence, or redundancy property in about 1 hour.