An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk...
-
Upload
sarah-charles -
Category
Documents
-
view
212 -
download
0
Transcript of An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk...
![Page 1: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/1.jpg)
An IST Project http://www.ist-lobster.org/
1Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
The Ruler Anonymization Language
Kees van ReeuwijkHerbert Bos
Vrije Universiteit Amsterdamherbertb _AT_ cs.vu.nl
http://www.ist-lobster.org/
![Page 2: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/2.jpg)
An IST Project http://www.ist-lobster.org/
2Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Privacy
• a shared monitoring infrastructure? what about privacy?!
Before talking about privacy ask the following: would you share information?
![Page 3: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/3.jpg)
An IST Project http://www.ist-lobster.org/
3Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Responses vary…
– No, absolutely not. I will not reveal any information• I will not reveal even the load of my network
– Maybe I can share some general statistics • what traffic goes in and out of my network
– I am willing to share the headers of the packets • IP addresses anonymized, payload stripped • just like NLANR does today
– I would like to share• all information with my local administrators • some information with associated researchers• anonymized information with the rest of the world
– Yes – share everything! • information wants to be free!
Lobster can provide all of the above
![Page 4: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/4.jpg)
An IST Project http://www.ist-lobster.org/
4Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
2. anonymization policy enforcement• making sure parties only get properly
anonymized traces• determines who gets access to what
How does it work?
1. applying anonymisation functions• functionality to strip/hash payloads, zero
addresses, etc. library of possible anonymisation
functions• framework to apply these functions
on traffic
![Page 5: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/5.jpg)
An IST Project http://www.ist-lobster.org/
5Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
How does it work?
1. applying anonymisation functions• functionality to strip/hash payloads, zero
addresses, etc. library of possible anonymisation
functions• framework to apply these functions
on traffic
2. anonymization policy enforcement• making sure parties only get properly
anonymized traces• determines who gets access to what
UNCHANGED
MAP TO INTEGER
MAP ACCORDING TO DISTRIBUTION
STRIP
RANDOMFILENAME RANDOM
HASH
PATTERN FILLZERO
REPLACE
PREFIX PRESERVING REGEXP
CHECKSUM ADJUST
SUBFIELD
![Page 6: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/6.jpg)
An IST Project http://www.ist-lobster.org/
6Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
How does it work?
1. applying anonymisation functions• functionality to strip/hash payloads, zero
addresses, etc. library of possible anonymisation
functions• framework to apply these functions
on traffic
2. anonymization policy enforcement• making sure parties only get properly
anonymized traces• determines who gets access to what
Ruler:• special-purpose, high-level language• for packet rewriting in general• and anonymization in particular
What is so nice about it?• easy to specify needs • fast, efficient• translates to low-level HW
![Page 7: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/7.jpg)
An IST Project http://www.ist-lobster.org/
7Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
different policies
• different anonymization rules for different users• credentials determine what sort of access is
allowed
![Page 8: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/8.jpg)
An IST Project http://www.ist-lobster.org/
8Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Ruler
• a simple rule-based language– Generic sanitization– Efficient (DFA-based)
implementation– Strive to make implementation in
HW possible– Design to allow for (future) formal
reasoning– Understand common network
protocols – Extensible
![Page 9: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/9.jpg)
An IST Project http://www.ist-lobster.org/
9Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Ruler
• Patterns and filters consisting of rules pattern:
pattern udpHeader: ( source: byte #2 dest: byte #2 len: byte #2
checksum: byte #2)
filter:include layouts.rlifilter simple
eh:Ethernet_header iph:IPv4_header *=> eh iph with [src=0, dest=0];
![Page 10: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/10.jpg)
An IST Project http://www.ist-lobster.org/
10Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Matching language
• Fixed number of bytes, fixed value42#1 5 0x800#2 “url”
• Fixed number of bytes, arbitrary valuebyte#2 byte#1 byte
• Arbitrary number of bytes and value*
![Page 11: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/11.jpg)
An IST Project http://www.ist-lobster.org/
11Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Matching language: bit patterns
• Surrounded by {}• Fixed number of bits, fixed value
42#7 0 0x800#16
• Fixed number of bits, arbitrary value
bit#2 bit#1 bit
![Page 12: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/12.jpg)
An IST Project http://www.ist-lobster.org/
12Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Matching language: labels
• Patterns can be labeledsource: byte #6 dest: byte #6payload: *
• Patterns can be grouped with bracketsether: (s:byte#6 d:byte#6 p:byte#2)
• Note the nested labels: ether refers to 14 bytes, ether.s refers to 6 bytes
![Page 13: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/13.jpg)
An IST Project http://www.ist-lobster.org/
13Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Matching language: patterns
• Patterns can be defined and named separatelypattern ether: ( s:byte#6 d:byte#6 p:byte#2)
• Allows re-use of common patterns
![Page 14: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/14.jpg)
An IST Project http://www.ist-lobster.org/
14Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
include files
• Definitions can be included from another fileinclude “layouts.rli”
• Normally used for pattern definitions, but can be used for filters too
• layouts.rli defines many common header layouts: ethernet, IP, TCP, UDP, etc.
![Page 15: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/15.jpg)
An IST Project http://www.ist-lobster.org/
15Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
use of labels
• Pattern names can now be used instead of the pattern they stand forether * "warez" *
• Can be used in rewrite actions:a:byte#2 b:* => b a
• The trick is to do it fast
![Page 16: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/16.jpg)
An IST Project http://www.ist-lobster.org/
16Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
The with construct
• The with construct replaces named parts of a pattern with other patternsether with [p=0x0806#2]
• Restrictions: replacement pattern may not be longer or shorter than the original.ether with [p=42] // WRONG (1 byte)
![Page 17: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/17.jpg)
An IST Project http://www.ist-lobster.org/
17Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Rule actions
• Action is one of:– reject– accept, accept 5– result pattern
![Page 18: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/18.jpg)
An IST Project http://www.ist-lobster.org/
18Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Tagged Deterministic Finite Automata
• We compile to a Tagged Deterministic Finite Automaton (TDFA)
• Tagged because we need the position of sub-patterns.
• States:– stop (we know what action to take)– inspect (look at a byte, branch)– tag (register positions in the input)– jump (skip irrelevant input bytes)– memory inspect (look at previous input)
![Page 19: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/19.jpg)
An IST Project http://www.ist-lobster.org/
19Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
applications
• besides anonymisation we also applied Ruler to intrusion detection
• developed a snort2ruler compiler– translates majority of Snort rules automatically– some rules need manual help– some rules cannot be translated as is– implemented in parallel
on an Intel IXP2400 network processor
![Page 20: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/20.jpg)
An IST Project http://www.ist-lobster.org/
20Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
extensibility
• Ruler is extensible: it may call external functions
filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head @hash(url) tail ;
– allows us to use libraries of previously developed anonymisation functions
• in Lobster we have integrated Ruler with MAPI – a Ruler program can be applied to packets of arbitrary flows– Ruler may use MAPI’s default anonymisation functions
![Page 21: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/21.jpg)
An IST Project http://www.ist-lobster.org/
21Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Ruler for IDS
![Page 22: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/22.jpg)
An IST Project http://www.ist-lobster.org/
22Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
Preliminary results
• able to keep up with gigabit scanning(only small number of rules tested)
• large number of rules:– large number of states– long compilation
• Gigabit rates:even on IXP withreal traffic
![Page 23: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/23.jpg)
An IST Project http://www.ist-lobster.org/
23Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
ruler – the language
conclusions
• useful• efficient• multiple application domains• state space may be the limiting factor• fits in FFPF and Lobster
![Page 24: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/24.jpg)
An IST Project http://www.ist-lobster.org/
24Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
EXAMPLES
![Page 25: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/25.jpg)
An IST Project http://www.ist-lobster.org/
25Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
SISAL
include layouts.rlifilter two_rules
eh: Ethernet_header iph: IPv4_header payload:(* “/bin/sh” *)=> reject ;
eh: Ethernet_header iph: IPv4_header payload:*=> eh iph with [src=0, dest=0] ;
include layouts.rlifilter rewrite
eh:Ethernet_header iph:IPv4_header with [ proto=17] udph:udpHeader * => iph.src iph.dest udph.source udph.dest udph.len ;
1
2
![Page 26: An IST Project 1 Herbert Bos, VU, herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.](https://reader030.fdocuments.us/reader030/viewer/2022032722/56649cef5503460f949bdd7b/html5/thumbnails/26.jpg)
An IST Project http://www.ist-lobster.org/
26Herbert Bos, VU, http://www.cs.vu.nl/~herbertb
SISAL
include layouts.rlifilter zap_url
head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head "XXX" tail;
include layouts.rlifilter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head @hash(url) tail ;
4
3