AAU Student Projects - visit Aalborg University's student projects portal
A master's thesis from Aalborg University
Book cover


Retargetable Protocol Conformance Specifications

Author

Term

4. term

Education

Computer Science, Master

Publication year

2005

Abstract

Firewalls styrer, hvilken netværkstrafik der må passere. Traditionel tilstandsløs filtrering ser på hver enkelt pakke uden at kende sammenhængen. For at opdage mere komplekse mønstre bruger man Stateful Inspection (SI), som følger forbindelsers tilstand og kontrollerer, om trafikken overholder protokollens regler (protokoloverensstemmelse). SI er dog afhængig af detaljerede specifikationer for, hvordan en protokol skal opføre sig. I dag indbygges disse regler ofte direkte i firewallens almindelige kode. Det gør dem svære at skrive, genbruge og verificere, hvilket øger kompleksiteten og risikoen for fejl—og kan dermed svække sikkerheden. Denne rapport foreslår, implementerer og tester et system, der gør det lettere at udforme og anvende sådanne specifikationer. Systemet introducerer retargetable specifikationer, skrevet i et specialudviklet sprog, som kan genbruges på tværs af forskellige firewall-implementeringer. Ved at adskille specifikationen fra selve firewall-koden og muliggøre genbrug kan indsatsen samles om at udvikle og teste én fælles specifikation, hvilket mindsker fejl og i sidste ende forbedrer den overordnede sikkerhed.

Firewalls control which network traffic is allowed. Traditional stateless filtering examines each packet on its own, without context. To catch more complex patterns, Stateful Inspection (SI) tracks the state of connections and checks whether traffic follows the rules of a protocol (protocol conformance). However, SI depends on detailed specifications that describe how a protocol should behave. Today, many firewalls hard-code these rules into the same general-purpose code base, which makes them hard to write, reuse, and verify. This increases complexity and the risk of mistakes, potentially weakening security. This report proposes, implements, and tests a system that makes it easier to create and use such specifications. The system introduces retargetable specifications, written in a custom language, that can be reused across different firewall implementations. By separating the specification from the firewall’s code and enabling reuse, effort can focus on developing and testing one shared specification, reducing errors and, in turn, improving overall security.

[This abstract was generated with the help of AI]

Documents

Download
View record in AAU Student Projects