Retargetable Protocol Conformance Specifications

Studenteropgave: Speciale (inkl. HD afgangsprojekt)

  • Lars Riis Olsen
4. semester, Datalogi, Kandidat (Kandidatuddannelse)
Over the years the need for a more powerful firewall classification scheme to supplement stateless packet classification has become apparent. As a response to this demand Stateful Inspection (SI) was developed. While significantly more powerful, this scheme has a number of inherent disadvantages. One of the most predominant ones being its inherent dependence on custom made protocol conformance specifications against which the inspected streams can be checked.

Currently, SI capable firewalls implement these specifications by hard-coding them into the firewall using the generic language used to implement the rest of the firewall. While simple, this approach however has a number of disadvantages in terms of complexity and subsequently in terms of the correctness of the implemented specifications. In effect this complexity means that the risk of errors present in these specifications is considerable and as a result the overall level of security imposed by the firewall might be decreased.

In this report we propose, implement, and test a system capable of easing the task of specifying and implementing protocol conformance specifications. Using this system the risk of errors should therefore be reduced and as a result the general level of security should be increased. This is achieved through the introduction of retargetable specifications which can be re-used across different firewall implementations while at the same time be implemented using a custom made language. This way, more effort can be put into the development and testing of one shared specification, as opposed to its complete reimplementation on each available firewall.
Udgivelsesdatojan. 2005
ID: 61063442