A Domain-Specific Language for Filtering in Application-Level Gateways

Research output: Chapter in Book/Report/Conference proceedingPaper in conference proceeding

Abstract

Application-level packet filtering is a technique for network access control in which an “application-level gateway” intercepts network packets at the application level (e.g., HTTP, FTP), scans them for security concerns and optionally logs, rewrites or discards them. Existing application-level filters express their filtering rules in general-purpose languages, which limits the correctness guarantees available for them. We present the first declarative language for application-level network filtering, developed at Advenica AB. Our DSL uses security assertions to express properties that packets must have to be allowed through the network (e.g., “IMAP packet contains no executable attachment” or “SQL reply contains only explicitly permitted columns”), along with remedies that either reject or rewrite undesirable packets. We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver. Our initial results show that the language can express many typical filtering tasks, closely maps to the application domain, and provides strong correctness guarantees.

Details

Authors
Organisations
External organisations
  • Advenica AB
Research areas and keywords

Subject classification (UKÄ) – MANDATORY

  • Computer Science

Keywords

  • network security, domain-specific languages, packet filtering, filtering language
Original languageEnglish
Title of host publicationProceedings of the 19th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences
Place of PublicationNew York, NY, USA
PublisherAssociation for Computing Machinery (ACM)
Pages111–123
ISBN (Print)9781450381741
Publication statusPublished - 2020 Nov
Publication categoryResearch
Peer-reviewedYes
Event19th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, GPCE 2020 - Virtual, United States
Duration: 2020 Nov 162020 Nov 17

Conference

Conference19th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, GPCE 2020
CountryUnited States
CityVirtual
Period2020/11/162020/11/17

Total downloads

No data available

Related projects

Christoph Reichenbach

2017/10/162021/10/15

Project: ResearchIndividual research project, Internal collaboration (LU)

View all (1)