0sec06 - 1.0
0sec 2006
a private security event for friends
| Speakers | |
|---|---|
|
Hannes Mehnert |
| Schedule | |
|---|---|
| Day | 2 |
| Room | Talk |
| Start time | 21:00 |
| Duration | 01:00 |
| Info | |
| ID | 21 |
| Type | Lecture |
| Track | Talks |
| Language | English |
Secure networking with Dylan-based domain-specific language
The security industry is in a paradox situation: many security appliances and analysis tools, be it IDS systems, virus scanners, firewalls or others, suffer from the same weaknesses as the systems they try to protect. What makes them vulnerable is the vast amount of structured data they need to understand to do their job, and the bugs that invariably manifest in parsers for complex protocols if written in unsafe programming languages.
We present the design and implementation of a domain-specific language (DSL) for description of structured byte-oriented protocols that addresses this problem. The DSL is applicable to a wide range of problems, such as network communication or file formats, and allows the programmer to write an abstract definition of some packet format, from which parsers and generators are then created automatically. That mechanism saves the programmer from tedious manual work for supporting new protocols, and at the same time prevents him from introducing vulnerabilities into the parsing process.
Our DSL is implemented on top of Dylan, a dynamically typed, object-oriented programming language. It makes heavy use of the Dylan macro facility to extend the language for the domain of packet format description, without sacrificing performance in the process. Beyond the safety gained by automating the parser creation process, Dylan provides additional security by its strong typing, mandatory bounds checking and automated memory management.
We also show the implementation of a userland TCP/IP stack, which uses the packetizer DSL for description of network packet formats, as well as a packet flow graph framework for packet processing and a layering mechanism for protocol handling.
The flow graph allows the user to connect packet processing nodes such as packet sources, sinks, decapsulators, demultiplexers and filters into complex arrangements for handling packets. It can be used to implement applications like filtering bridges or network analysis tools in just a couple of lines of code.
The layering mechanism handles the stacking of protocol layers. In theory, one OSI layer corresponds to one instance of a layer object, there are for instance layers to handle Ethernet, IP and UDP, which are stacked on top of each other. In practice, TCP/IP has parts which cannot be clearly attibuted to a specific OSI layer (ARP being the prominent example), so we handle bonding of layers using adapter objects, which know about both the layers they connect. Stackability of layers allows easy implementation of protocols such as IP-over-ICMP.