Firewalls are widely deployed to manage enterprise networks. Because enterprise-scale firewalls contain hundreds or thousands of rules, ensuring the correctness of firewalls—that the rules in the firewalls meet the specifications of their administrators—is an important but challenging problem. Although existing firewall diagnosis and verification techniques can identify potentially faulty rules, they offer administrators little or no help with automatically fixing faulty rules. This paper presents FireMason, the first effort that offers automated repair by example for firewalls. Once an administrator observes undesired behavior in a firewall, she may provide input/output examples that comply with the intended behaviors. Based on the examples, FireMason automatically synthesizes new firewall rules for the existing firewall. This new firewall correctly handles packets specified by the examples, while maintaining the rest of the behaviors of the original firewall. Through a conversion of the firewalls to SMT formulas, we offer formal guarantees that the change is correct. Our evaluation results from real-world case studies show that FireMason can efficiently find repairs.

中文翻译：

---

防火墙示例自动修复

防火墙被广泛部署以管理企业网络。由于企业级防火墙包含成百上千条规则，因此确保防火墙的正确性——防火墙中的规则符合其管理员的规范——是一个重要但具有挑战性的问题。尽管现有的防火墙诊断和验证技术可以识别潜在的错误规则，但它们在自动修复错误规则方面为管理员提供很少或根本没有帮助。本文介绍了 FireMason，这是第一个通过示例为防火墙提供自动修复的尝试。一旦管理员在防火墙中观察到不受欢迎的行为，她就可以提供符合预期行为的输入/输出示例。FireMason 根据示例自动为现有防火墙合成新的防火墙规则。这个新防火墙正确处理示例指定的数据包，同时保持原始防火墙的其余行为。通过将防火墙转换为 SMT 公式，我们提供了更改正确性的正式保证。我们来自真实案例研究的评估结果表明 FireMason 可以有效地找到维修。