A domain-specific language for filtering in application-level gateways

Application-level packet filtering is a technique for network access control in which an “application-level gateway” intercepts network packets at the application level (e.g., HTTP, FTP), scans them for security concerns and optionally logs, rewrites or discards them. Existing application-level filters express their filtering rules in general-purpose languages, which limits the correctness guarantees available for them. We present the first declarative language for application-level network filtering, developed at Advenica AB. Our DSL uses security assertions to express properties that packets must have to be allowed through the network (e.g., “IMAP packet contains no executable attachment” or “SQL reply contains only explicitly permitted columns”), along with remedies that either reject or rewrite undesirable packets. We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver. Our initial results show that the language can express many typical filtering tasks, closely maps to the application domain, and provides strong correctness guarantees.

[1]  Nikolaj Bjørner,et al.  Satisfiability modulo theories , 2011, Commun. ACM.

[2]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[3]  Alan F. Blackwell,et al.  A Cognitive Dimensions questionnaire optimised for users , 2000, PPIG.

[4]  Adel Bouhoula,et al.  A Domain Specific Language for Securing Distributed Systems , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[5]  Florent Jacquemard,et al.  Automatic verification of conformance of firewall configurations to security policies , 2009, 2009 IEEE Symposium on Computers and Communications.

[6]  Peyton Jones,et al.  Haskell 98 language and libraries : the revised report , 2003 .

[7]  Nicholas D. Matsakis,et al.  The rust language , 2014, HILT '14.

[8]  Arjun Guha,et al.  A fast compiler for NetKAT , 2015, ICFP.

[9]  Rainer Gerhards,et al.  The Syslog Protocol , 2009, RFC.

[10]  Todd J. Green LogiQL: A Declarative Language for Enterprise Applications , 2015, PODS.

[11]  David Maier,et al.  Magic sets and other strange ways to implement logic programs (extended abstract) , 1985, PODS '86.

[12]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[13]  David H. D. Warren,et al.  Prolog - the language and its implementation compared with Lisp , 1977, Artificial Intelligence and Programming Languages.

[14]  Philip Fennell,et al.  Schematron - More useful than you'd thought , 2014 .

[15]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[16]  Pauline Bolignano,et al.  Semantic-based Automated Reasoning for AWS Access Policies using SMT , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[17]  Fernando Pereira,et al.  Prolog - the language and its implementation compared with Lisp , 1977, Artificial Intelligence and Programming Languages.

[18]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[19]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[20]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[21]  D WarrenDavidH,et al.  Prolog - the language and its implementation compared with Lisp , 1977 .

[22]  K. Gödel Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I , 1931 .

[23]  K. Gödel Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I , 1931 .

[24]  D. Spinellis,et al.  A Domain-specific Language for Intrusion Detection , 2000 .

[25]  Adel Bouhoula,et al.  Automatic Conformance Verification of Distributed Firewalls to Security Requirements , 2010, 2010 IEEE Second International Conference on Social Computing.

[26]  Yannis Smaragdakis,et al.  SEDGE: Symbolic example data generation for dataflow programs , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[27]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[28]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[29]  Raghu Ramakrishnan,et al.  Review - Magic Sets and Other Strange Ways to Implement Logic Programs , 1999, ACM SIGMOD Digit. Rev..

[30]  Maria Kutar,et al.  Cognitive Dimensions of Notations: Design Tools for Cognitive Technology , 2001, Cognitive Technology.