Annual Computer Security Applications Conference (ACSAC) 2016

Full Program »

Spicy: A Unified Deep Packet Inspection Framework for Safely Dissecting All Your Data

Deep packet inspection systems (DPI) process wire format network data
from untrusted sources, collecting semantic information from a variety
of protocols and file formats as they work their way upwards through
the network stack. However, implementing corresponding dissectors for
the potpourri of formats that today's networks carry, remains
time-consuming and cumbersome, and also poses fundamental security
challenges. We introduce a novel framework, Spicy, for dissecting wire
format data that consists of (i) a format specification language that
tightly integrates syntax and semantics; (ii) a compiler toolchain
that generates efficient and robust native dissector code from these
specifications just-in-time; and (iii) an extensive API for DPI
applications to drive the process and leverage results. Furthermore,
Spicy can reverse the process as well, assembling wire format from the
high-level specifications. We pursue a number of case studies that
show-case dissectors for network protocols and file formats -
individually, as well as chained into a dynamic stack that processes
raw packets up to application-layer content. We also demonstrate a
number of example host applications, from a generic driver program to
integration into Wireshark and Bro. Overall, this work provides a new
capability for developing powerful, robust, and reusable dissectors
for DPI applications. We publish Spicy as open-source under BSD
license.

Author(s):

Robin Sommer    
International Computer Science Institute / Lawrence Berkeley National Laboratory
United States

Johanna Amann    
International Computer Science Institute
United States

Seth Hall    
International Computer Science Institute
United States

 

Powered by OpenConf®
Copyright©2002-2016 Zakon Group LLC